Nearly half of security practitioners told to ‘keep data breaches under wraps’

A person on a laptop to depict hacking
(Image credit: Shutterstock)

Nearly half of cyber security practitioners have been told to keep data breaches “under wraps” by senior management in the last year.

The survey of 400 IT and security professionals, published this week by Bitdefender, found that 42% had been told to keep a breach confidential when they knew it should be reported.

Similarly, nearly one-third (30%) said they actively avoided disclosing a breach themselves despite specific processes being in place.

US-based security practitioners were the most likely to have kept a breach “under wraps” when they knew it should have been disclosed, with 71% failing to alert senior management or customers.

Staff in the UK, France, Germany, Spain, and Italy were among the least likely to keep a breach to themselves.

Respondent claims about disclosures come amid a period of heightened concern over data breach management and the rising costs of security incidents, Bitdefender found.

More than half (52%) of global respondents said their organisation has experienced a data breach or data leak in the last 12 months. In the US specifically, 72% of respondents said they had experienced such an incident.

The study also noted that 55% of respondents said they are increasingly worried about their company facing legal action due to an incident being handled incorrectly.

Disclosing data breaches

RELATED RESOURCE

Trend Micro security predictions for 2023

Prioritise cyber security strategies on capabilities rather than costs

FREE DOWNLOAD

Failure to disclose data breaches can pose a significant risk to organisations, with legislation in both the European Union (EU) and US requiring businesses to disclose an incident if customer data is exposed.

EU-based organisations are required to notify a supervisory authority “without undue delay” and within 72 hours “at the latest after having become aware of the breach”.

In the US, all 50 states have security breach notification laws that require businesses to notify affected customers or employees if a data breach occurs.

In January, the Federal Communications Commission (FCC) hinted at a potential overhaul of legislation that would shorten the amount of time telecoms firms have to report data breaches.

Failure to disclose data breaches can also have a significant impact on individuals. In October 2022, former Uber chief security officer Joseph Sullivan was convicted for failing to disclose a data breach which affected millions of users and employees.

Sullivan was found guilty of obstructing an FTC investigation into two separate breaches and convicted on a separate charge of deliberately concealing a felony after engaging with the responsible party to keep the incident from going public.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.