Several years ago, while still prosecuting computer crime cases for the Justice Department, I learned about two community banks in a small Midwest town. They had been competitors for decades.
They both got hacked on the same day, by the same hacker, using the same exploit. They both remediated the exploit within a day, but not before each of them had lost about $100,000.
The first bank reported the intrusion to the FBI and promptly reported the loss to their account holders. The second bank said absolutely nothing.
As a result of these actions the first bank depositors immediately withdrew their funds and moved their money across the street to the second bank – “where it would be safer.” The first bank that had reported the crime – which eventually led to the conviction of the hacker – went under and their investors lost everything. The second bank’s investors reaped the rewards that come from being the only bank in town. So, which bank did the right thing?
This all took place several years before the current breach notification laws came into existence. So there was no absolute reporting violation on the part of the second bank that received the windfall profit from their silence. From a strictly business point of view they acted for the protection of their shareholders. But, on the flip side, if the first bank had no reported the break-in the hacker might still be out there hitting one company after another.
It was exactly this dilemma that created the need for breach notification laws. Today, however, the existence of breach notification laws in 47 states levels the playing field and insures that consumers in both bank one and bank two will be protected. It does make one wonder what the delay is in the remaining states.