Why do I need to report a data breach?
This is a common question that business owners ask me all of the time. In response, I rattle off a laundry list of reasons why reporting is not optional — but mandatory. This includes ethical stewardship and obligations, business and public relationship reasons, and finally legal obligations that make it mandatory.
Some still think I am just Chicken Little claiming the sky is falling, but so it goes as some people just can’t be helped.
Thanks to the FTC, I now have another reason to give them. It fits into the legal obligations requirement and, while implicitly, most of us in this profession knew this all along, it never helps like an agency like the FTC just comes right out and says it: The FTC said that it looks ‘favorably’ on firms that report data breach.
“In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach,” said Mark Eichorn, the agency’s assistant director for privacy and identity protection.
There you go, simple enough? Yes, you must report the data breach. Period. End of story.