Small Businesses Aren't Fessing Up to Data Breaches

Small Businesses Aren't Fessing Up to Data Breaches
A survey released on Tuesday shows that only 33 percent of U.S. companies that were hacked ever notified the victims of data theft, notwithstanding legal obligations (Photograph by Notorious91)
Photograph by Notorious91

A host of high-profile U.S. companies owned up to having being hacked in recent months, including Apple, Facebook, Microsoft, the New York Times, and the Wall Street Journal. Last week, Citigroup and Goldman Sachs included disclosures about their vulnerability to hackers in regulatory filings.

Whether you think large corporations are going far enough in revealing cyber attacks, small businesses are probably far less forthcoming, at least according to a study released today by Ponemon Institute, a security research firm in Traverse City, Mich. Not that only small businesses are reluctant to talk about their security concerns: As Gillian Tett argued (subscription required) in the Financial Times in January, “the overwhelming majority of companies today are terrified of talking too publicly” about cyber attacks.

The Ponemon study, which polled more than 1,200 U.S. businesses with less than $10 million in annual revenue, was commissioned by a unit of the reinsurance giant Munich Re.

I wasn’t surprised that 55 percent of respondents reported at least one data breach; of those, more than half had been compromised multiple times in the year prior to the survey. (Nine percent couldn’t recall how many times they’d been breached, posing the question: At what point do you lose count?) All but 8 percent of the compromised companies  said they had lost what security experts call personally identifiable information—data such as driver’s licenses, credit cards, and Social Security numbers.

What caught me off guard? Only 33 percent of the compromised companies in the survey said they had informed data-breach victims of their losses. That is, many of the survey respondents that lost track of customers’ or employees’ personal data didn’t bother to alert the victims. Laws in 46 states (PDF) require that data breach victims be notified of the loss of personal info.

“When it comes to disclosure, a lot of them think, ‘We’re so small, no one’s going to know,’” says Eric Cernak, a vice president at Hartford Steam Boiler, the Munich Re subsidiary that commissioned the Ponemon study. “They’ll say: ’Let’s just sweep this under the rug. We’re not going to report it because no one’s going to find out about it.’”

HSB is marketing an insurance product for small businesses that would provide funds to notify customers in the case of a data breach; read his comments—and the results of the study—in that context. Cernak says even half-measures, such as cheap anti-virus software or firewalls, can convince data thieves to seek a softer target.

Meanwhile, as the public becomes increasingly aware of cyber attacks, Cernak expects law enforcement to pay closer attention to the way companies respond to breaches. “Some state attorneys general seem to be more active than others,” he says. “We see some starting to enforce the notification requirements when there’s been a breach.”

Before it's here, it's on the Bloomberg Terminal. LEARN MORE