UK Story On Breaches and Silence
IT Week in the UK writes, “Companies keep silent on data breaches.”
There are a couple of interesting quotes:
Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about the incident within 24 hours,” he said.
I raise my eyebrow a bit because of the words “often” and “invariably” appearing together. I side with the reporter on “often” and just don’t buy “invariably.” Nonetheless, if people believe that telling the police is the same as telling the press, they’ll refrain from telling the police.
However, Maxine Holt of analyst firm Butler Group argued that corporate victims not reporting crimes “is of no use to anybody”.
I concur, and so the question is how to make sure that the proper notifications happen to the proper people at the proper time. That’s why there’s no rule set on this. More in another post.
Police reports, at least in the US, are usually public record and are available in most jurisdictions for a small ($5) administrative fee.
They’re also in some newspapers regularly (it’s more of a data dump than an article).
I’m all about involving the police, though. As a corporation, I can’t go to somebody’s house and search for the laptop they stole from us. The police on the other hand can. So can the FBI if the laptop had sensitive government data on it. I like being able to pull on that assistance if I need it.