Key Highlights
- The Identity Theft Resource Center (ITRC) reports a growing trend of insufficiently detailed breach disclosures.
- Data breach notices increasingly lack critical information such as the cause and impact of the breach.
- CISOs must stand firm against legal advice to ensure transparency in breach notifications.
- Uniform national standards for data breach disclosure are necessary but politically challenging.
The Growing Silence on Breach Details
We’re not sure if we should tell you all this, but there’s a “no one cares” crisis in cybersecurity. Despite stringent laws requiring notification of breaches, many organizations are increasingly lax with the details they share.
ITRC’s Annual Poll Reveals Declining Transparency
In 2020, nearly every data breach notice provided actionable information to prevent future incidents. By 2025, only three out of ten notices included such information. ITRC President James E.
Lee told IT Brew that this shift is concerning: “Up until 2020, most data breach notices had very actionable information. Now, it’s largely gone.”
Legal Advice Silencing Details
The problem isn’t just negligence; it’s legal advice dictating silence. Lee explains, “Federal court cases have advised organizations not to include any information in a data breach notice because it can create roadmaps for lawsuits. Don’t create this roadmap.” This means CISOs face an uphill battle against their legal teams.
But they need to fight back. Lee advises, “They need to stand firm and say, ‘We have to tell people what has happened so they can protect themselves.’” Being forthcoming isn’t just polite; it’s prudent. “It always pays off in the end.”
Uniformity in Disclosure Laws
The patchwork of state laws exacerbates the problem. From 2005 to 2008, most states adopted data breach laws with different definitions and requirements. Lee argues for federal uniformity: “We need a model like HHS’s HIPAA approach.” However, achieving this is politically challenging.
So while the legal landscape remains murky, the stakes are clear.
In an age where personal information is currency, transparency in breach disclosures is not just nice; it’s essential. And as CISOs face pressure from legal teams, they must prioritize their users’ safety over potential lawsuits.
You might think this is new, but the struggle for transparency isn’t. It’s an ongoing battle that we’re only now fully understanding.
The ITRC’s report is a wake-up call. Let’s hope lawmakers and organizations take heed.