Publicly, all retailers have—historically—said that data breach disclosures need to happen quickly and publicly. Privately, though, IT and security specialists have long questioned the point of such disclosures, especially the early ones. The initial reports are almost always wrong, shoppers can’t do anything useful with the information and it does little more than create panic, they’ve argued.
Those IT arguments have almost always been kept behind the scenes, but a very prominent Information Security executive–Dawn-Marie Hutchinson of Urban Outfitters—has broken the retail Omertà by discussing these thoughts with The Wall Street Journal. “There is this crazy hysteria” about cyberattacks, she said. “Placing blame, it doesn’t help anybody.”
Hutchinson even disclosed an interesting procedural rule in case of a breach. After a cyberthief attack involving consumer data, the Journal said, Hutchinson’s “first call isn’t to her boss, who is Urban’s technology chief. Instead, it’s to the company’s general counsel, a shift the company made post-Target to cloak the conversations under attorney-client privilege.”
Although Hutchinson’s facts are correct and represent a widely-held opinion, the public act of arguing for disclosure delays is impressively ill-advised. Consumers don’t react to facts. They react to emotions. If they hear a retailer speaking of the need to keep data-breach (involving customer data) details secret from those customer victims, it will generate outrage and a sense of betrayal.
Surveys routinely show that shoppers lack trust in retailers, suspicions that would be sharply expanded by such public comments. This is classic damage control. Right and wrong doesn’t matter and breach details do not matter. It’s all about a sense of trust. And arguing for secrecy to the people you want to keep the information from is never a wise move.