Companies lag in revealing data breaches, consumer groups say

August 29, 2014

Craig Timberg, Andrew Peterson and Ellen Nakashima

Rumors of a data breach at a major New York bank started circulating more than a week ago in cybersecurity circles. So for insiders, news that JPMorgan Chase had been victimized was more confirmation than revelation, the latest headline from a digital crime wave that shows no sign of ebbing.

But for the millions of customers of JPMorgan Chase, the news reports that began appearing Wednesday were the first indication that their personal information might have been stolen by hackers. Like Target, Neiman Marcus, and countless other companies, the nation’s largest bank chose to keep evidence of a cybercrime private until journalists forced the issue.

This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating. Had a family’s precious jewelry been stolen from a safe deposit box, any bank would have quickly notified the affected customer. Yet loss of personal information, especially when it happens on a mass scale, is treated differently, both by the law and by industry custom.

The result is that weeks, or longer, can pass between when a company learns of a cybercrime and when its customers do. That gap, say security experts, can amount to crucial lost time for people who might want to protect themselves by monitoring transactions, changing passwords or alerting other relevant parties — such as a credit card company — that the risk of fraud or identity theft is elevated.

‘‘There have been so many breaches where companies have held information for so long that more disclosure would force companies to do a better job being accountable to consumers,’’ said Ed Mierzwinski, consumer program director at US Public Interest Research Group.

READ MORE