Why Do Companies Wait so Long to Disclose Hacks of Customer Data?
Why are we hearing of hacks taking years to be disclosed?
Data hacks are commonplace for companies that hold lots of data that has any value. While there are measures that can be put in place to decrease the chance of hacks, much of the damage comes from the time delay hacked companies choose to inform those affected. There are some self-serving reasons for time delays on the part of the company and some that are very realistic. No matter what the reason, though, the delays come at an expense.
1 year? 3 years? Both are too long
A handful of companies recently hacked serve as great examples of delayed response time that consumers were not happy with. Equifax, the credit reporting company, lost control over the personal data of 143 million Americans. They discovered their breach July 29 but didn’t report it until September 7—6 weeks later. In the meantime the social security numbers, home addresses, and birth dates of 143 million Americans were floating around uncontrolled and who knows what was being done with them. Before the hack was announced to the public Equifax executives with inside knowledge sold large amounts of stock before the eventual plummet of Equifax stock value by 14% after the breach was announced.
A delay of 6 weeks isn’t bad when compared to Yahoo, LinkedIn, and MySpace’s hacks. Yahoo didn’t announce their hack that put 500 million accounts at risk until 3 years after the breach occurred. Everything from users’ names, email addresses, telephone numbers, dates of birth, and passwords were accessed. Interestingly enough, Verizon was in the middle of purchasing Yahoo at the time of the hack. 167 million accounts on LinkedIn were compromised, and 360 million MySpace accounts were hacked, all with a greater than 3 year period before disclosure. Target inappropriately alerted its affected shoppers after the hack had been announced publicly in the news. Uber hid their hack for over a year when they lost the private information of 57 million users of their car service and 600,000 drivers licenses of their drivers. Not only did they hide the fact that it happened, they paid the hackers off to keep it on the down-low.
It’s a lose-lose situation
Of course companies will look out for their own good despite having a responsibility to their customers. Aside from this uncomfortable dichotomy, the logistics of announcing hacks to affected people and the public are, without a doubt, difficult. A company certainly can’t announce a hack that they don’t know about. So the time between the hack occurring and the company discovering it is a surefire delay in the affected people knowing. But even once they do know, they need to make sure they have a full, or at least decent, picture of what happened and how, and who was affected. If they don’t have a complete view of the story then they may find themselves following up on their announcement and making corrections, which would be less than ideal. It’s really hard knowing when people need to be notified, especially if there’s uncertainty around what was compromised. Intrusions happen all the time so companies can’t be letting their customers know about every little thing otherwise the bigger, attention demanding hacks wouldn’t get any attention at all. Companies are in a lose-lose situation, though. If they make an announcement prematurely, before having all the details, and then have to go back and make a correction announcement, they won’t look good. And if they wait too long to disclose a hack people won’t be happy with that, either.
Notifications can get in the way of legal investigations
Each state has their own laws regarding when and how affected people need to be notified. It can be complicated figuring these out when a company has affected people in every, or at least multiple, states. In fact, only 8 states have a required timeline for notifying people affected. These laws may not correspond well with the need for law enforcement getting involved. Sometimes law enforcement asks for a breach to be kept on the down low so not to let hackers know there is a vulnerability. If law enforcement doesn’t have the staff available at the time the investigations could take longer. Meanwhile, the affected people go without knowing that they are even at risk and nothing is being done to protect them. While it may be legal for law enforcement to ask that a breach not be disclosed to keep the investigation from being hampered, the SEC says that an investigation doesn’t necessarily mean that a hack cannot be disclosed.
Breaches are complex, distractions make them worse
Various other factors could affect when a company chooses to disclose a breach. If there is not already a breach response team in place one would need to be assembled. Then they would need to determine who needs to be notified and how based on a variety of factors such as the laws of each state affected by the breach, the nature of the compromise, the type of information taken, the likelihood of misuse, and the potential damage if information was misused. The medical and financial industries have regulations in place that companies would need to comply with, but this is not the case for all industries. It’s best for the company to have as great of an understanding about the breach as possible so they can communicate as clearly as possible. They would want to describe how the compromise happened, what information was taken, how the information has been used, what actions the company is taking to remedy the situation, what actions are being taken to protect affected individuals, and how to reach out if customers have any questions. If there is a change in leadership, like the sale of Yahoo at the time of their breach, or any other substantial events, those could serve as a distraction and keep a breach from being noticed quickly or make response time slower. Theoretically, though, larger companies should be able to identify breaches faster than smaller companies because they have the funds and the manpower to do so.
If it was credit or debit card numbers that were lost, generally the credit card companies want to disclose the breach quickly so that their customers can have their cards replaced and face minimal fraud risk. Because the business breached may want to take longer to disclose the breach, this could be a source of tension.
The company has a lot to lose
All in all, companies are looking out for themselves. They don’t want to be held legally liable; they don’t want to damage their customers’ views of their company; they don’t want their stock value to go down. A breach is basically a company suicide. For companies to be more willing to disclose breaches, to the benefit of their customers, they either need a shift in their morals, or need to have some sort of liability protection. They need to not face the harmful effects of the breach. There can’t be negative consequences on them. Unfortunately, protection from the government or some other source means that they would have even less motivation to keep the breaches from happening in the first place.
The SEC is taking a stance in a vague sort of way
The SEC created guidelines in October 2011 regarding cybersecurity attacks that require that companies “quickly” report information that affects the financial outlook of the company to investors and potential investors, especially when the data lost is core to the company’s business model. What does “quickly” mean anyways? There are no set time limits and this leaves lots of room for interpretation. Consequently, only a few companies report hacks to the SEC every year-106 companies have reported a hack since 2011 when the guidance was issued. The longer a company waits, though, the more likely they will be assessed by authorities such as the SEC, the U.S. Federal Trade Commission, and state attorneys general.
Mounting risks with passing time
When companies take a long time to disclose hacks, like Yahoo, Uber, Target, and others who went down in history for pulling something like this, the potential damage done increases daily. With each passing day someone could be using personal data unbeknownst to the person from which it was stolen. People cannot take preventative measures until they know they are at risk. Additionally, delays in reporting mean that people are making decisions on purchasing or selling stock based on inaccurate stock prices. Unfortunately people with insider knowledge end up with the upper hand here. Companies do seem to recover quickly, but that isn’t without lawsuits, civil penalties like Uber is facing, and customers feeling like their trust was betrayed.
Unfortunately, it can be difficult to protect a company from hackers. Github is not a very forgiving environment and hacks are commonplace. The best solution may just be to respond quickly and responsibly. After all, companies do have a duty to their customers and their investors. Currently there isn’t a national data breach notification law. This could be helpful, but at the moment the laws of individual states are more restrictive than any federal law that has been proposed. Though disclosing information to customers quickly could have a negative impact on brand loyalty, it could help educate the industry as a whole and become better at defeating these hacks. As long as companies are amassing this much private information, individuals need to be extra responsible in monitoring their information and credit since they may not find out from a breached company right away.