DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

If entities continue to obfuscate and lie, it’s time to mandate more transparency in breach disclosures

Posted on November 12, 2023 by Dissent

— An OpEd by DataBreaches– 

When it comes to data breach disclosures, the very same entities who claim to take our privacy and security very, very seriously are generally not being transparent in their breach disclosures. Their refusal to be transparent often results in consumers and patients being left in the dark about the risks we face from breaches. Those affected may first find out about incidents from threat actors or the media instead of from the entities who were responsible for securing the data. DataBreaches believes it’s time to consider promoting legislation that will require disclosure of facts about breaches that are currently being withheld and that will prohibit certain kinds of obfuscation or “weasel words” that mislead consumers and patients.

As one recent example of frustrating non-transparency, WDRB reported,  “Norton, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to be tight-lipped about the May 9 data breach, which it refers to as a “cyber event.” That breach has been the subject of speculation for months as the company works to recover its information and patients struggle to obtain prescriptions and schedule appointments.”

Their so-called “cyber event” was a ransomware attack by AlphV (aka BlackCat). Has Norton learned nothing in 6 months about the scope of the breach that they could share with those affected?

The alleged lack of transparency by Norton is just one more example of a recurring problem this year. We’ve seen all too many entities engage in verbal gymnastics to avoid simply acknowledging they were the victim of a ransomware attack. And we’ve seen all too many entities tell people that their data “may have been exposed” when the entity already knows that not only were data accessible to the threat actor, but data was exfiltrated, and not only was data exfiltrated, some data was already being leaked and more would probably be leaked.


Any entity that knows data are being leaked on the dark web and/or clearnet but does not disclose that to those whose data was stolen should be fined monetarily for every day that goes by that they fail to disclose that, and the executives should be held responsible.

And then there are entities who rush to assure people that they have no evidence that data has been misused even though it’s early days, and even though they know that the data is in the hands of criminals who wouldn’t hesitate to misuse it. Brett Callow of Emsisoft has been recently highlighting these types of misleading statements. Discussing a notice by the Toronto Public Library, Callow told the Toronto Star:

Claiming that there’s ‘no evidence’ when the forensic work to find the evidence is still ongoing is irresponsible and exposes those affected to unnecessary risk. If they don’t know that their information may have been compromised, they don’t know they should be monitoring their bank accounts, changing their passwords, etc.

DataBreaches agrees with Callow. Rather than giving reassurances that may need to be revoked or revised in a matter of weeks, entities should be prohibited from giving quick assurances and instead state something to the effect of, “It is too soon to know about whether data has already been misused or is likely to be, but on the principle of rather safe than sorry, people should take the following steps if they want to protect themselves: … a, b, c…”

One way in which some entities try to distract us or dissuade us from pressing them for information is to mention (and often, more than once) that they are cooperating with law enforcement.  So what if they are? Cooperation with law enforcement is not an excuse not to be transparent unless the FBI specifically asks the entity not to disclose something. In almost all cases this year where DataBreaches has seen entities state they are cooperating with the FBI or law enforcement, they are not claiming that they were asked to delay or withhold notification. Statements about cooperating with law enforcement are also often accompanied by statements that the entity cannot reveal more because of an ongoing investigation.  That, too, is misleading. There is nothing that legally prevents most entities from informing you that they already know some data was stolen from their server or that they already know some data has been released on the internet by threat actors trying not pressure them. They are choosing not to be transparent with you.

Some entities frankly admit that they are being advised not to be transparent — to limit liability or for other reasons. DataBreaches believes that if an entity needs time to secure its network, that is a legitimate justification for not disclosing some information about the attack until it is secured. And if law enforcement does ask the entity not to disclose something because it will jeopardize a law enforcement activity, that, too, might be an acceptable reason not to disclose facts the entity is already in possession of.  But if the sole or main purpose is just to protect the entity from scrutiny or criticism when consumers and patients are demanding information, DatabBreaches believes that the lack of transparency is unacceptable.


The ultimate victims of a breach — consumers and patients — should not first find out from criminals or reporters that their data has been stolen or leaked. They should find out first from the entity responsible for their data. And they should be given accurate information and not “weasel words” or misleading statements.

Enforce Existing Regulations and Statutes

DataBreaches urges state attorneys general to enforce state laws on data security and breach notifications.

The Federal Trade Commission also has authority under Section 5 of the FTC Act to take action against entities that engage in deceptive and unfair practices. DataBreaches believes that incomplete and misleading breach disclosures constitute an unfair practice as defined in the Act as act or practice where it (1) causes or is likely to cause substantial injury to consumers, (2) cannot be reasonably avoided by consumers, and (3) is not outweighed by countervailing benefits to consumers or to competition.

The U.S. Department of Health and Human Services also has the authority to enforce HIPAA and HITECH, although the regulations are not strong enough to really require the type of transparency DataBreaches is seeking.

Maybe if Congress can stop shooting itself in the foot and engaging in ridiculous clowny shows, we can find someone to promote meaningful bipartisan legislation.

But Until We Have More Enforcement or Statutes or Regulations Mandating More Transparency….

If data from a breach is being publicly leaked or a leak seems likely but the entity has not disclosed that, DataBreaches usually first attempts to contact the entity to ask them for a statement about the incident. If they fail to respond or their response appears misleading,  DataBreaches will often report the incident publicly and include redacted screenshots as proof that personal data has been compromised.

Will consumers or patients be angry at the entity for not being more transparent and for having had to find out what is going on from this site, other media outlets, or from the threat actors themselves? Probably.

Will entities be sending DataBreaches Christmas cards if this site reveals a breach they haven’t disclosed yet or if they haven’t disclosed transparently? Probably not.

Will DataBreaches stop exposing breaches that entities have failed to disclose or have resisted disclosing transparently? No.

People need to know when their data is in the wild or about to be dumped so they can take steps to protect themselves. If entities won’t be transparent about that, DataBreaches will.

Image:  Lastonein, CC BY-NC-ND 2.0 DEED


Related:

  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
Category: Breach IncidentsCommentaries and AnalysesOf Note

Post navigation

← Was a recent OCR settlement fair? Maybe, but maybe not.
Time’s up, Sunday edition: Some Jeffco Public Schools data was leaked, some data was put up for sale →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Government will ‘robustly defend’ compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • 𝐔𝐠𝐚𝐧𝐝𝐚 𝐨𝐫𝐝𝐞𝐫𝐬 𝐆𝐨𝐨𝐠𝐥𝐞 𝐭𝐨 𝐫𝐞𝐠𝐢𝐬𝐭𝐞𝐫 𝐚𝐬 𝐚 𝐝𝐚𝐭𝐚‑𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 𝐰𝐢𝐭𝐡𝐢𝐧 𝟑𝟎 𝐝𝐚𝐲𝐬 𝐚𝐟𝐭𝐞𝐫 𝐥𝐚𝐧𝐝𝐦𝐚𝐫𝐤 𝐩𝐫𝐢𝐯𝐚𝐜𝐲 𝐫𝐮𝐥𝐢𝐧𝐠.
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report