Disclosure Lag in Data Breaches
The recent milestone of 1,000 data breaches loaded into Have I Been Pwned (HIBP) has highlighted a disturbing trend: the increasing lag time for disclosure. This issue is not limited to a single company, but rather a widespread problem that affects various organizations. The Carnival breach, for example, had a 43-day delay in disclosure, while the Zara breach had a staggering 45-day delay. These extended periods of time put individuals at risk, as their sensitive information is exposed to the public without their knowledge.
This lag in disclosure is often attributed to the need for organizations to fully assess the scope of exposed data before notifying individuals. However, this reasoning is flawed, as it implies that early notification cannot occur until a comprehensive understanding of the impact is established. In reality, pulling out email addresses and sending early notification is a relatively simple process. The lack of transparency in these situations raises concerns about the true motives behind the delay.
Furthermore, the proliferation of class actions immediately following a breach may be contributing to the worsening disclosure lag. Organizations may be prioritizing the protection of their interests over the well-being of their customers, as evidenced by the numerous class action lawsuits that arise after a breach. This shift in focus can lead to a delay in disclosure, as companies may be more concerned with minimizing their liability than with informing affected individuals.
The Mechanics of Disclosure Lag
One of the primary factors contributing to the disclosure lag is the way organizations respond to data breaches. Rather than prioritizing transparency and customer notification, they may be more focused on protecting their interests and minimizing liability. This approach can lead to a delay in disclosure, as companies may be more concerned with assessing the scope of the breach and preparing for potential lawsuits than with informing affected individuals.
The use of “sensitive PII” and “special categories of personal data” definitions in regulations such as GDPR and CCPA can also create loopholes that allow organizations to avoid disclosure obligations. These definitions can be used to justify the non-disclosure of certain types of data, even if it is sensitive and potentially damaging to individuals. This lack of clarity can lead to a lack of transparency and accountability in the event of a data breach.
In addition, the role of lawyers and class action lawsuits can also play a significant part in the disclosure lag. Organizations may be more focused on protecting themselves from lawsuits than on informing affected individuals, leading to a delay in disclosure. This approach can be seen in the way companies respond to data breaches, with a focus on minimizing liability rather than prioritizing transparency and customer notification.
Winners and Losers in the Disclosure Lag
The winners in the disclosure lag are the organizations that are able to avoid disclosure obligations and minimize their liability. These companies may be able to protect themselves from lawsuits and reputational damage, but at the expense of their customers’ trust and security. The losers, on the other hand, are the individuals whose sensitive information is exposed to the public without their knowledge. These individuals may be left vulnerable to identity theft, phishing, and other forms of cybercrime.
The supply chain actors and adjacent markets that are affected by the disclosure lag are also losers. These companies may be impacted by the reputational damage and loss of trust that results from a data breach, even if they are not directly responsible for the breach. The job categories that are affected by the disclosure lag include cybersecurity professionals, who may be tasked with responding to the breach and minimizing the damage.
The impact of the disclosure lag can also be seen in the way it affects the broader market. The lack of transparency and accountability in the event of a data breach can lead to a lack of trust in organizations and their ability to protect sensitive information. This can have a ripple effect throughout the market, leading to a decrease in consumer confidence and a loss of business for organizations that are perceived as untrustworthy.
The Skeptical Case
One argument against the idea that the disclosure lag is a significant problem is that it is simply a necessary part of the response to a data breach. Organizations may need time to assess the scope of the breach and prepare for potential lawsuits, and the delay in disclosure is a necessary part of this process. However, this argument ignores the fact that the disclosure lag can put individuals at risk and damage trust in organizations.
Another argument is that the disclosure lag is not unique to the data breach context, and that similar delays occur in other areas of business and law. However, this argument fails to recognize the unique nature of data breaches and the sensitive information that is at stake. The disclosure lag in the context of data breaches is a specific problem that requires a specific solution.
The Signal to Watch Next
One signal to watch next is the response of regulatory bodies to the disclosure lag. Will they take action to address the issue and require organizations to disclose breaches in a more timely manner? The response of organizations to this issue will also be important to watch, as they may begin to prioritize transparency and customer notification over the protection of their interests.
Another signal to watch is the impact of the disclosure lag on consumer confidence and trust in organizations. Will the lack of transparency and accountability in the event of a data breach lead to a decrease in consumer confidence and a loss of business for organizations that are perceived as untrustworthy? The answer to this question will be important in determining the long-term consequences of the disclosure lag.
Bookmark this one — it will matter to your business decisions this week.
By Priya Nair, AI & Startup Reporter at TrendFlashy
Ready to launch your own asset?
Check out our guide on Building a Profitable Online Business.
