Should Your Organization Report a Data Breach?

Should you report a breach of security?
He's coming for your data.

If (or more accurately, when) your organization suffers a data breach, how damaging does it need to be in order for you to report it? Sharing the existence of the breach, as well as when and how it happened, is seen by some as a necessary way to pool information and defeat hackers.

A breach clearly needs to be reported and detailed as soon as possible to any company or individual that has their data compromised. But, beyond the exposed individuals or organizations, is the reporting of a breach the best course of action?

Last year, I engaged in an impromptu debate with an FBI agent at an IT security event in regards to the reporting of data breaches. His position, understandable given his profession, is that the second a breach occurs an organization should call in the FBI to help get to the bottom of it. My position is, and remains, that while a company has a responsibility to those whose personal, private information is exposed, a company needs to carefully consider whether they should open themselves to the criticism and potential business damage that would come with reporting each and every data breach. And even if not reporting publicly, a company should be hesitant to report to a government agency. There is risk in trusting a government employee or industry organization to keep things quiet.

Beyond protecting the reputation of an organization, there is a strategic aspect to keeping data breaches quiet. Sometimes the best protective action is to track a hacker post-access, as they continue to roam. Offering a section of a website with seemingly valuable, but non-core information as an invitation to get hackers to tip their hand as to their strategy can be a valuable way to gain intelligence on avenues of attack that a hacker may favor.

An interesting point/counterpoint debate on the issue of mandatory reporting took place in the Wall Street Journal recently, and may help inform your organizational policy on the issue.

Presumably, those within your organization charged with establishing and maintaining acceptable levels of IT security are in touch with other experts in their field in environments where discretion is respected.  But how much faith to have in the confidentiality of those communities, and whether a government entity can be trusted with the job, is a different issue entirely.