Security breach cover-up: Non-disclosure foolish, says expert

A leading fraud investigator has said the retailer at the centre of a recent credit card details security breach cover-up should definitely disclose details of the breach and admit what has occurred.

And it's a view shared by the heads of IT at a number of organisations.

Bryan Sartin, VP investigative response at Cybertrust, has worked on many large security breaches and this week told silicon.com companies rarely make the right decision when they decide to hide what has happened, adding "the damage is tremendous" when that decision backfires.

Sartin said: "If they disclose immediately it almost seems to bode well for the company."

Sartin said he's been in to investigate many companies where disclosure announcements and notifications to shareholders and the industry have been sat waiting for the moment they might be needed, while the company clings on to the idea "it can be swept under the carpet".

He said: "There are too many companies who think, 'We'll only disclose anything when we absolutely have to'. But seldom have I seen that approach work," adding that the truth has a habit of coming out when companies least expect it, whereas through disclosure they can handle how the message gets out.

Sartin said: "If it comes back to haunt you, it will be a nightmare from an image perspective." He added industry and consumers understand to a degree that breaches are a risk of doing business, while attempting to cover them up can lead to a further breakdown in customer relations.

His view is shared by many heads of IT in business.

Luke Mellors, IT director at The Dorchester Hotel in London, said companies must absolutely disclose such breaches. And he added that companies shouldn't wait for a change in the law - to echo legislation now in place in California - but should do it as a matter of course.

Mellors said: "Organisations that realise a security breach [has occurred] should choose to contact their customers out of respect and to encourage vigilance. Waiting for legislation to be created to do what is the right course of action is irresponsible."

Russell Altendorff, IT director at the London Business School, said: "Customers have a right to know. The organisation would never be in a position to know what the ramifications are to the customers of the breach of confidentiality and if they chose to hide it they may further compromise the customer in ways that they could not anticipate."

David Supple, head of IT and creative services at Ecotec, an economic and social development researcher, said: "Not only will [disclosure] give a level of confidence to the consumer it will also help bring IT security higher up the company agenda when the threat of public disgrace could potentially hang over a company brand."