The Weekly breach Breakdown Podcast by ITRC - Hide And Seek - S4E11

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 5, 2023. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we will discuss a trend you have heard mentioned here several times – a lack of actionable information in data breach notices and the possibility of some looking to hide data breaches. Let’s call this episode a case of Hide and Seek.

The Lack of Information in Data Breach Notices Continues

In the most recent Q1 ITRC data breach analysis, we reported that 60 percent of the top ten compromises did not have information about the root cause of the event. Forty-one (41) percent of the total number of compromises did not provide information that could help consumers and other businesses prevent a similar event. (More information on this in next week’s podcast on data breach trends in April.)

This is classic under-reporting. The notices may meet the letter of the state law governing the notice to consumers. However, they are not especially helpful if you are seeking useful intel.

Report Highlights How Many Security Professionals Are Asked to Hide Data Breaches

Now comes a study from cybersecurity firm BitDefender that sheds light on a related issue – the number of unreported data breaches. That’s outright hiding the ball.

According to the report released in April, 52 percent of global respondents to the survey said they had experienced a data breach or data leak in the last 12 months. The U.S. led at 75 percent. That’s not so surprising.

This is: They then said the quiet part out loud. Forty-two (42) percent of global security professionals surveyed were told to hide a data breach when it should have been reported. That number jumped to 71 percent of U.S. security professionals who had been told to keep quiet. Nearly one-third of the respondents said they had actually kept a breach confidential when instructed to do so.

With so many data breaches occurring and the overwhelming pressure to keep them quiet, security professionals are caught between the proverbial rock and a hard place. Slightly more than half of respondents said they are worried about their company facing legal action due to a breach being mishandled. 

Iowa and Indiana Pass State Privacy Laws

One quick note on another topic – two more states have joined the ranks that have passed their own comprehensive privacy laws. Iowa and Indiana become the sixth and seventh states to pass a law giving consumers more access to and control over their information when in the hands of businesses. The Governor of Washington State has also signed a medical privacy bill into law.

ITRC Breach Alert for Business Coming Soon

The ITRC continues a beta test of a new service for businesses, Breach Alert for Business, that want to ensure they receive a notification when a data breach at a vendor or partner is entered into the ITRC’s data compromise database. For more information, fill out our interest form here and click “notified business alerts”.

Contact the ITRC

If you want to know more about how to protect your business or personal information, or if you think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the podcast and the ITRC. Be sure to check out our sister podcast, the Fraudian Slip, for the latest in all things compromise, crime, and fraud that impact people and businesses. We will return next week with another edition of the Weekly Breach Breakdown.