Urban Outfitters’ Security Chief Says It’s Best To Keep Breaches A Secret

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pymnts.com/in-depth/2014/urban-outfitters-security-chief-says-its-best-to-keep-breaches-a-secret/#.U-pIx_ldXsg

Publicly, all retailers have—historically—said that data breach disclosures
need to happen quickly and publicly. Privately, though, IT and security
specialists have long questioned the point of such disclosures, especially
the early ones. The initial reports are almost always wrong, shoppers can’t
do anything useful with the information and it does little more than create
panic, they’ve argued.

Those IT arguments have almost always been kept behind the scenes, but a
very prominent Information Security executive–Dawn-Marie Hutchinson of
Urban Outfitters—has broken the retail Omertà by discussing these thoughts
with The Wall Street Journal. “There is this crazy hysteria” about
cyberattacks, she said. “Placing blame, it doesn’t help anybody.”

Hutchinson even disclosed an interesting procedural rule in case of a
breach. After a cyberthief attack involving consumer data, the Journal
said, Hutchinson’s “first call isn’t to her boss, who is Urban’s technology
chief. Instead, it’s to the company’s general counsel, a shift the company
made post-Target to cloak the conversations under attorney-client
privilege.”

Although Hutchinson’s facts are correct and represent a widely-held
opinion, the public act of arguing for disclosure delays is impressively
ill-advised. Consumers don’t react to facts. They react to emotions. If
they hear a retailer speaking of the need to keep data-breach (involving
customer data) details secret from those customer victims, it will generate
outrage and a sense of betrayal.

Surveys routinely show that shoppers lack trust in retailers, suspicions
that would be sharply expanded by such public comments. This is classic
damage control. Right and wrong doesn’t matter and breach details do not
matter. It’s all about a sense of trust. And arguing for secrecy to the
people you want to keep the information from is never a wise move.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!