This morning’s WSJ had an interesting article, “Corporate Judgment Call: When to Disclose You’ve Been Hacked.” The concern raised was that although hacks and data breaches are more common, few are reported to the SEC as required.
While the duty to report hinges on the nuances of what is considered “material,” the corporate concerns are understandably about how disclosure will impact the price of the stock as well as corporate performance. The thought struck me that we need an attitude shift. Why? Simply because being hacked and suffering a data breach is more a matter of when it will happen instead of if it will happen. We need to erase the stigma associated with it to have a healthy debate about solving this plague.
Compare the stigma of disclosing a data breach to mental health. While attitudes have changed, at one time, the stigma associated with mental health forced many to avoid treatment. There is a prevailing attitude in many companies that all data breaches are preventable and when they happen, someone has to take the blame. In some cases this may be true, particularly if those charged with protecting the corporate assets were negligent or failed to act reasonably. Yet despite best efforts, data breaches can and do happen and the critical factor then becomes detection and containment before the business suffers substantial harm.
By eliminating the stigma associated with reporting a data breach, we may collectively be better able to share insights and the disclosure may even help other businesses become aware of an attack vector and prevent the same kind of attack from happening elsewhere.
What are we missing out on by stigmatizing data breach disclosure? How can reporting of data breaches become de-stigmatized?