An article on WSJ.com discusses how some corporate exectuives are questioning the prevailing view that companies should always notify customers, vendors and authorities after a security breach.
Instead, according to the article, these executives argue that many breaches don’t lead to harm and can be handled quietly. They contend that not every corporate document is a valuable trade secret; credit-card numbers may be exposed but never stolen, or stolen but never used. Disclosure can cause its own problems, prompting consumers to waste time replacing credit cards, for example.
Most seriously, they say, going public could expose weaknesses that others could exploit. “You wouldn’t necessarily disclose a nation-state actor trying to do harm in an industry that’s very vulnerable,” Leslie Thornton, general counsel of WGL Holdings Inc., a Washington, D.C., gas utility, told a forum sponsored by the Securities and Exchange Commission last month. Russian and Iranian hackers have targeted U.S. energy companies during the past year, U.S. officials and private researchers have said.
It’s unclear how many executives share this viewpoint. At a closed-door meeting of the National Association of Corporate Directors in June, some participants questioned the value of disclosing hacks, weighed against the negative publicity.
The article states that talking openly about cyberthreats is controversial because some executives fear it can make the company a target for hackers and such statements could be used against them in litigation.
“It’s poor form to say it publicly,” said Jeffrey Carr, who talks often with corporate leaders as founder of the “Suits and Spooks” cybersecurity conference. “There’s an international movement toward more transparency not less.”
Others say companies have a duty to disclose hacks to business partners, customers and investors who may have been affected. Many computer-security experts say disclosure helps others respond to an attack, and deter future hacks.
“Understanding the scope of the threat and the damage it’s doing and even how an attack succeeds would be really useful for the country,” said James Lewis, a senior fellow at the Center for Strategic and International Studies who often advises Washington officials on cybersecurity. “If you’re a CEO or a general counsel, you might make America safer to share the information but you also might be out on the street.”
The debate among executives mirrors divisions among government officials.
According to the article, the SEC in 2011 required companies to disclose “material information regarding cybersecurity risks and cyber incidents.” In a speech last month,U.S. Treasury Secretary Jacob Lew told financial firms to share more with each other and law enforcement on hacking incidents, although not necessarily in public. “There cannot be a code of either silence or secrecy about the steps necessary to protect our basic security,” he said.
Yet other law-enforcement and national-security officials say some incidents should be kept quiet. Some U.S. investigators say privately that blabbing about a cyberattack could tip off foreign intruders the U.S. is on to them.
Disclosing hacks wasn’t always routine. Before 2005, only California required companies to notify consumers whose data had been stolen. Then hackers stole a trove of records from ChoicePoint, a consumer-data firm since acquired by Reed Elsevier PLC. ChoicePoint initially notified only consumers in California, even though thousands of consumers in other states may have also been affected. The incident helped spark a wave of legislation in other states. Today, 47 states require companies to notify consumers of data thefts, including Kentucky, which enacted such a law this year.
Executives describe a complex calculus in deciding whether to disclose hacking incidents. After a payment-card breach, banks often reimburse consumers for fraudulent charges, whether the hacked company goes public or not.
“If you never disclose the breach at all, then you don’t have class-action suits,” says Doug Meal, a partner at Ropes & Gray LLP, said in an interview this spring. Mr. Meal advised Target Corp. after hackers stole 40 million credit- and debit-card numbers late last year. The Target breach was disclosed by a blogger, but the state disclosure laws likely would have forced Target’s hand. Molly Snyder, a Target spokeswoman, said, “We want to be explicitly clear that Mr. Meal’s statements do not reflect the beliefs of Target.”