March 28, 2011, 8:40 AM — One in 7 information technology companies have not reported data breaches or losses to outside government agencies, authorities or stockholders.
In addition, only 3 out of 10 said they report all data breaches and losses suffered related to intellectual property, while 1 in 10 organizations will only report data breaches and losses that they are legally obliged to report, and no more. Six in 10 said they currently "pick and choose" the breaches and losses of sensitive data they decide to report, "depending on how they feel about them."
MORE ON DATA BREACHES: The Ponemon Institute's data-breach calculator
Those were some of the key findings from a McAfee and Science Applications International Corp. (SAIC) survey that queried 1,000 technology managers in the U.S., United Kingdom, Japan, China, India, Brazil and the Middle East on questions about intellectual property and security.
The report, entitled "Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency," said the main reasons for not disclosing data breaches are fear of media coverage, damage to the brand and shareholder value. "The admission of a significant vulnerability could flag other attackers so very few companies are willing to be public about intellectual capital losses," the report says (see "'Political' cyberattacks hit half of large companies").
John Dasher, senior director of data protection at McAfee, said that "losing some of your crown jewels" would in theory be considered a matter that should be disclosed to shareholders as important information of material interest or for other legal reasons.
"But most of them aren't reporting," says Scott Aken, vice president for cyberoperations at SAIC, who called the survey results surprising. Another finding of the survey, that about 25% of the organizations "had a merger or acquisition or product rollout stopped by a data breach," was also a surprise to Aken. "Sometimes companies don't know they had a data breach and only find out months later," he said. It disrupts operations.
The report also says the economic recession has impacted how organizations are looking at where they store sensitive data such as intellectual property, proprietary information and trade secrets.