BlackBerry’s senior director of business operations discussed the business ramifications of critical data breaches and the decisions companies are often confronted with as part of the Cybersecurity Speaker Series hosted by the Robert Strauss Center for International Security and Law and the Center for Enterprise and Policy Analytics on Tuesday.
BlackBerry focused on business-centric smartphones a decade ago, but according to Yahoo Finance, BlackBerry’s stock dropped 95% from 2008 to 2012 and they were outpaced by Samsung, Google and Apple. Since then, the Canada-based tech firm has refocused much of its attention on developing cybersecurity services, said Mark Anderson, senior director of business operations.
Anderson spoke to an audience of nearly 30 people on the factors companies must consider when a breach occurs, such as the cost to remediate the breach and whether or not to make the breach public.
Anderson said companies are not always legally obligated to report data breaches, and they may refrain from going public if doing so is determined to be too costly.
“If it’s personally identifiable information, there’s no question (that) you report it,” Anderson said. “If it’s something I can absorb without telling people like sales or marketing information, I’m not going to report that … If it (the data breach) is my intellectual property, there’s a different decision there (in choosing whether to report).”
Anderson said the United States has the most lenient, decentralized and least comprehensive data breach reporting laws, while the European Union’s General Data Protection Regulation is one of the most thorough.
“It is not one area of the government or private sector that controls personal information releases and how they’re reported,” Anderson said. “Federal laws are lacking. There’s no singular comprehensive approach. There are a number of agencies that have a dog in the fight … None of them do anything like the Europeans, which require you to remediate with the customer and require you to make the customer whole.”
Anderson said he estimates that about 20% of data breaches are not reported in general. Anderson said for nearly all data-driven firms, remediating and reporting data breaches is a difficult and costly task that can harm a company’s reputation.
“If I’m not legally obligated to (report a data breach), and I’m going to lose a ton of business because customers will no longer see me as a company of respect, how do I make that determination … am I going to report simply because I have a data breach?” Anderson said.