The Complicated Ethics of Data-Breach Disclosure

Photo courtesy of Yahoo

What’s more gut-wrenching than the moment you discover your company’s network has been breached? Having to publicly announce that breach.

As disclosure laws remain murky, companies face a new conundrum. You can be upfront and risk long-term losses (of customer trust, market impact, security-related costs). Or you can simply divulge breaches on a need-to-know basis and risk backlash from those demanding that companies become more transparent. Which is the better gamble?

Lately, thanks to a miasma of corporate misery in wake of Yahoo’s hack, option #1 has been looking more attractive. Their email breach, which compromised at least500,000 accounts, occurred in 2014. But customers only learned of it last month. That time lag has ignited heated talk about how long a company can wait before reporting a hack.

Yahoo reported to the SEC that it didn’t know about the incident, which came to light just after its acquisition by Verizon for $4.8B. (The latter claims it learned of the breach two days before we did.) But according to Fortune, “There is strong evidence Yahoo knew about the attack for well over a month, and possibly much longer.” The Financial Times gets even more specific, reporting, “Marissa Mayer has known since July that Yahoo was investigating allegations of a serious data breach.” The suspicion has spiraled out of Yahoo’s control.

Subsequent revelations that the Internet giant had been cooperating with intelligence agencies to scan emails may transpire into more than an ethical discussion. Many speculate that the customized software Yahoo used to covertly search emails created security holes. “Given Yahoo’s recent track record in failing to secure software and systems they develop when security is involved,” Jeff Pollard, principal analyst at Forrester, told SC Magazine, “it’s hard to believe clandestine code would be as, or more, secure than what they built when they actually involved the security team.” Speaking of the latter, Yahoo’s revolving door of CISOs didn’t help.

Senator Richard Blumenthal has encouraged Congress to make an example of the company. “As law enforcement and regulators examine this incident,” he said in a statement, “they should investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.”

Chart courtesy of Statista

According to a Ponemon Institute study last year, financial companies take an average of 98 days to spot a breach, while retailers take 197 days (or, half a year). This ostensibly includes detection and prioritization of suspicious activity. While it’s possible that Yahoo withheld information, it’s also conceivable that, lacking security analytics, they brushed off early warning signs as false positives. In either scenario, thieves were making off with sensitive data for nearly two years before Yahoo figured out something was amiss. For a company dealing in this much data, security-analytics software is everything. It can’t avoid a breach (because, let’s face it: criminals are always going to try). But it could’ve clearly identified where Yahoo’s risks were and stopped this breach way back in its early stages. Hindsight is indeed 20/20.

A major issue with successful breaches is that federal laws surrounding disclosure are murky at best. So guiding ethical practices through compliance is harder than it’d seem. Although it may not be clear if companies are breaking the law by stalling disclosure, customers are growing increasingly paranoid by this furtive behavior. In response, Senator Mark Warner has also asked the SEC for a probe into Yahoo’s behavior, adding “Since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”

SEC has a policy. It’s just very vague: Their rules specify that incidents must to involve information with material repercussions. Not surprisingly, the SEC, writes Reuters, “has never acted against a company for failing to disclose a cybersecurity incident or threat, and it has brought just two enforcement actions against companies for insufficient data protection.”

"A major issue with breaches is that laws surrounding disclosure are murky at best."

As such, the FTC has taken matter into its own hands. Since 2001, it has settled roughly 60 cases against companies that failed to reasonably protect consumers’ personal information. Many states have adopted their own notification protocols, too. (New York Attorney General Eric Schneiderman, for instance fined the Trump International Hotels Management $50,000 for the compromise of 70,000 credit card numbers after the company took roughly three months to report the breach.)

There are bigger wheels in motion, they’re just not gaining traction fast enough. The Obama administration’s Cybersecurity Act of 2015 grants liability protection to companies that share information with each other or the government. But companies are reticent to embrace it, desiring many more legal details. The far more assertive Data Security and Breach Notification Act would require breach disclosure to consumers within 30 days (unless it affects a national-security investigation)—but that has yet to pass.

Yahoo’s unfortunate situation is a rude awakening. If a company fails to implement a proactive security platform, in the inevitable attempt a breach, the onus lays ominously on them. “Our investigation into this matter is ongoing,” a Yahoo spokesperson said recently. “And the issues are complex.”