Weinergate and The Case for Full Disclosure of Data Breaches

Written by

Often when I chat with people within the industry, the one thing I expect is a consistent message akin to a broken record.

De-perimiterization, consumerization, defense in depth – the list of things I hear brought up in nearly every conversation is as fine tuned as a political candidate’s talking points, which got me thinking.

One aspect of the art of information security that I find troubling is the unwillingness of many organizations to admit when they have suffered a data breach. Those within the industry, especially the vendor side, know that their customers only want to disclose something when they have to, and not simply because they have their client’s best interests in mind. Another constant I hear from those within the industry is that whether an organization gets breached is a matter of when, not if.

So, if the defense of data exists within a framework where attackers will inevitably get the best of the defenders, at least on certain occasions, then why all the attempted concealment? What can really be gained from delaying the inevitable? Just as you will eventually get breached, news that your organization’s networks were compromised will ultimately leak.

It is with this in mind that we can actually learn something from some of the shrewdest politicians we have encountered during the age of mass media. To get out in front of a story, if only to be able to dictate it briefly, is an invaluable PR move, with the added benefit that your customers may appreciate the effort as well. Recounting some of the most notable exploits in this area reveals both brilliant and disastrous examples.

Richard Nixon set the standard during his memorable ‘Checkers’ speech. Somehow, one of the largest crooks in American history was able to, albeit briefly, convince the public that he was trustworthy. Let’s chalk this up to a good PR move gone to waste, as Nixon’s dabbles in denial would come some years later.

Then there’s Jim McGreevy, former governor of New Jersey. Rather than face the potential embarrassment of inquiries into why he gave his alleged lover a homeland security post for which he was questionably qualified, McGreevy beat his opponents to the punch, disclosed his sexual indiscretions, resigned, and sailed off into the sunset. No harm, no inquiry, and he left with one of the highest approval ratings of any governor in the recent history of the Garden State.

Elliot Spitzer is yet another example. Sure, he had to leave his post as governor of New York in disgrace, but popular consensus has not branded him as a liar, leaving the door open for his entrée into cable news, and perhaps a future in politics again, once memory of his transgressions has faded.

Then there are the lessons learned from public figures who did not operate under the full disclosure model. One only need ask Bill Clinton where stubbornness, and stall tactics, will end up – being overshadowed by near-disgrace after a run of success.

I was no doubt surprised by Congressman Anthony Weiner’s, for lack of a better word, stupidity over the tweeting of some scandalous photos. His tactic was old school – conceal then deny, deny, deny. A savvier politician, or organization for that matter, should know that it’s best to get out in front of the story. Whether it’s a sex scandal or a data breach, it’s not the actions or events that so many find distasteful, but rather the lack of honesty employed by some to cover up potentially unfavorable news.

Disclosing how an attack was conducted is typically not necessary, as the details of the intrusion are secondary to the fact that it occurred at all. What’s more important is that you are willing to level with your customers. After all, if they are to trust you by purchasing your product, then they should be able to trust you with the information they provide. And if this information should be compromised, then a little good will in sharing the plain facts with your customers can go a long way toward ensuring a long, beneficial relationship. If you are worried about your company’s reputation, keep in mind that resurrection stories are timeless.

What’s hot on Infosecurity Magazine?