The more you talk to people in the security field, the more you get the distinct feeling that lots of corporate security breaches go unreported.

You can understand why a company wouldn’t want to make a big deal out of an incident. If non-PII was stolen and the number of victims was relatively small, then you risk alarming the customer base and fomenting unnecessary uncertainty. You certainly don’t want to hurt the stock price. Of course, at some level, you are legally bound to disclose the incident.

For companies that want to keep it all hush-hush, U.S. Attorney for the Southern District of New York has a message for you: Tell us. The reality is that most companies assume that the bad guys are uncatchable, that they ply their trade overseas in complete anonymity.

But Preet Bharara says that companies should trust the FBI and prosecutors to keep their secrets. He thinks companies have an obligation to get their heads out of the sand, to help the crime fighters do their good work.

“When industry delays or minimizes, it is harder to assess vulnerabilities and harder to formulate solutions," Bharara told Reuters. "When industry delays unduly in disclosing to us, or minimizes, it is that much harder to get the bad guy." For most companies, this really shouldn’t be a hard decision.

For more:
-here’s the article

Related articles:
Sony demonstrates need for cyber insurance savvy
Companies ponder new disclosure guidance
SEC issues guidance on cyberattack disclosure