Policy Hypocrisy

3:43 PM -- I guess I'm just gullible. When I was eight, I believed in Santa Claus. Last year, I bought a Pasta Express. And recently, I thought the state laws that mandate security breach disclosure would really force companies to notify their customers of potential identity theft.

Here at Dark Reading, we're constantly flooded with news stories about hacks and stolen laptops that expose the personal data of consumers and employees. I can hardly drink my Tang without hearing about another company that's lost a big batch of customer data.

The experts say that the rash of reports isn't the result of a new rash of attacks, but of new laws that force companies to report all suspected security breaches, even when the company isn't sure whether data has been stolen. AOL's recent blunder in releasing search information for 650,000 users, for example, was brought to light in part because of laws that required the company to inform customers of potential identity theft risks. (See Users Outraged by AOL Gaffe.)

But the fact is the public doesn't even know the half -- or at least 40 percent -- of it. Because despite state legislation that mandates breach disclosure under penalty of law, many companies say they still would not report a suspected hack if they found one.

In Dark Reading's "Security Scruples" survey, which concluded this week, we asked some 649 IT and security managers a hypothetical question about what they would do if they discovered that a hacker had tapped into their customer database. "The database contains personal information," we said, "but you can't say for sure whether any data was stolen." (See Corporate Ethics are 'Situational'.)

In response, more than 9 percent of companies said they would fix the vulnerability, and then cover up the breach completely. More than 31 percent said they would inform law enforcement, but would not notify customers. Did you do the math? More than 40 percent of the companies surveyed said they would not tell their customers if they believed their customer database had been hacked.

Respondents whom we interviewed after the survey relayed a simple logic behind this choice. The cost of bad publicity from a hack, they said, is higher than the costs of fines or censures from state governments whose laws may be broken by the lack of disclosure. Given a choice between breaking a law and protecting their reputation, many companies would simply choose to break the law.

To be fair, there were many respondents who said the new state laws have affected their disclosure policies, and they are prepared to disclose breaches to customers when they occur. But the fact that nearly 40 percent of companies said they would not disclose the violations almost offsets the positive impact of the legislation.

And so, Virginia, we can only reach one inevitable conclusion: Despite companies' "official" disclosure policies and state laws to enforce them, many companies will continue to hide the security breaches that affect their businesses -- and ultimately, their customers. In some cases, the dollars carry more weight than the cops.

As for me, I feel a little bit wiser now, but my gullible side has been disillusioned once again. I mean, what's next -- is somebody going to tell me that Pluto isn't a planet anymore?

— Tim Wilson, Site Editor, Dark Reading