There is a very interesting article over at Dark Reading, by Mathew J. Schwartz from InformationWeek, that discusses the apparent lack of “transparency” prevalent throughout the USA when it comes to data breach reporting. No doubt, a data breach is enormously expensive (see our Rips category for just a few samples of that), and it will ruin the day of many a person in the breaching organization. For some, it might be a CLE (Career Limiting Event). Certainly no one is in a great rush to alert the media when his or her organization has suffered a breach.

But given recent legislation dealing with data breach notification requirements, why might it still be true that many breaches either don’t get reported at all, or get a bit “under-reported” inasmuch as they provide few, if any, details and numbers about the breach (such as the number of individuals affected)?

The article claims that the ITRC (Identity Theft Resource Center) believes that the fact that some states now harbor a “protected” breach list that is not made public at all, or is only accessible via an official Freedom of Information Act request, is one cause. Similarly, for medical data breaches, the US Department of Health and Human Services has created a “risk of harm” threshold for notification requirements, which has been contentious since it was first introduced, with opponents claiming that it removes the very core incentive of data breach notification requirements: incentive for organizations to protect data in the first place, lest they have to report a breach.

Furthermore, in many cases organizations are allowed to do their own assessment of the “risk of harm.” Could this be akin to letting a convicted criminal sentence himself? Perhaps.

In any case, the article helps identify some very likely causes of continued data breach under-reporting, which in turn helps reinforce the claim that it’s really worse out there than most people realize. Ignorance may not be bliss.