ITRC breach report reveals lack of detailed breach reporting

Sponsored by

Your machine data knows things: Unlock it with Splunk and get game-changing insights—plus a critical resource to power AI. Tapping into machine data can boost your security and reliability. See more.

We’re not sure if we should tell you all this, but…

There’s a “no comment” crisis in cybersecurity.

Despite laws in all 50 states requiring businesses and government entities to notify individuals of any breach of their personally identifiable information, the Identity Theft Resource Center (ITRC) has noticed that disclosures increasingly don’t disclose all that much.

In an annual poll, the ITRC found a growing silence among the compromised:

• In 2020, “nearly every” disclosure shared details regarding the cause.
• In 2025, seven out 10 notices lacked information about the compromise’s cause.

Over time, data breach notices have become less helpful, ITRC President James E. Lee told IT Brew.

“Up until 2020, most data breach notices actually had very actionable information that a business or a person could look at and go, ‘Okay, I know what I need to do to make sure I’m not vulnerable to a similar kind of data breach at someplace else,’” Lee said. “That information now is largely gone.”

The ITRC, in its report, advises lawmakers and regulators to mandate that orgs: 

• State the exact cause or attack vector
• Specifically list the data compromised
• Provide non-technical explanations for “what happened”

Lee spilled more to IT Brew on why disclosures aren’t disclosing, what CISOs can do, and what needs to happen next.

Responses below have been edited for length and clarity.

What is leading companies to be less and less forthcoming with their details?

It’s nothing more complicated than we’ve had federal court cases that have said, essentially, you don’t have standing to sue a company unless you have had actual harm resulting from a data breach…And so the advice of counsel has been to organizations: Don’t include any information in a data breach notice. It’s not required, so don’t create this roadmap for discovery.

What kinds of information is missing now in these notifications?

Primarily: what happened? When did it happen? When did you find out about it? When were you able to act on it? When did you stop it, and exactly what information was compromised?…What the organization did as a result, and most importantly, what are they doing to prevent a recurrence of that? Those are the elements that we used to get, but now are largely missing.

What would you advise a CISO to do in the event of a breach, regarding commentary?

It’s largely out of the hands of the CISO. It’s going to be determined by the general counsel and perhaps the risk management team…It’s a very strong CISO who can stand up [to] the general counsel and perhaps the CFO or the CEO, and say, “We have to make sure we’re taking all the actions now to prevent this from happening again.”

The reality is: They need to stand firm. They need to point out that, “We need to tell people what has happened so they can protect themselves. We need to tell other people and other companies in our peer set: This is what happened. This is how it happened. This is how you can prevent it from happening.” And if there were things that went wrong and ultimately you do wind up in litigation, or in some sort of enforcement action with a government regulator, it is always going to be to your best interest to be forthcoming. It’s painful, but it always pays off in the end.

What is the problem with today’s disclosure laws?

From 2005 to 2008, you have most of the states adopt a state data breach law, but they’re all over the place. They all have different definitions of what is personal information. They all have different trigger points. They all have different requirements for what is included in a data breach notice, how soon after the breach that somebody has to be notified. So, we don’t have anything approaching uniformity. And the problem with that is, where you live determines what you find out, when you find out, and what assistance you have available to you. That’s fundamentally unfair.

Should laws change to reflect that uniformity?

We already have great examples that the federal government can do it. If you look at HHS and what they do with HIPAA, they manage and enforce data breach in terms of health data, and do it uniformly. So, there is a model to do it. It’s just a matter of Congress having to act to do it, and the states have to believe that it’s in their best interest for that to happen as well, too.