Hiding the facts for security’s sake is rarely OK

A reader asked this question on Twitter after reading my post on Global Payments having explaining to do: “The PR challenge for Global Payments: “openness” is critical for maintaining public trust. But how open can you be about security?”

It’s a good question, and one of the toughest to answer.

In my years as a security scribe, I’ve come up against the issue way too many times to count. The instinct of a journalist is to get everything out there. The reasoning is that the public has a right to know, especially if they do business with the party in question and they’ve personally been put at risk. In my opinion, that is exactly why Global Payments needs to be a lot more open going forward. Credit card holders are at risk.

When all is said and done, it’s possible the number of people compromised as a result of this breach will be far smaller than the numbers currently bandied about. When the numbers are smaller, someone somewhere inevitably complains that the story was over-hyped and coated in FUD. But if you are one of the few victims, it’s anything but hype, because you are living with the consequences.

But there’s another legitimate side to this: Sometimes, too much detail can threaten security. I once got a behind-the-scenes tour of security at one of the U.S.’s biggest landmarks. The place has several features and procedures designed to defend against a terrorist attack. I wasn’t allowed to take pictures or write about those items, and I was fine with that. Secrets are a natural byproduct of national defense.

But when a data breach hits a company in the private sector, I’m less willing to accept secrecy for the sake of security.

Realistically, I know all the facts can’t come out at once. In the example of Global Payments, the investigation is still in the early stages and the company has to get the full picture of what they’re dealing with before telling the public everything. It’s similar to a news organization holding back a story that’s potential page-view gold because all the facts aren’t in place yet.

Global Payments does indeed have explaining to do. But I realize they have to getter a better handle on what happened.

Our job is to keep coming back to them — a lot more frequently than they would like — in search of updates. Without public pressure, it’s easy for a company to drag its feet and stonewall over something like this.

It’s also our job to keep the pressure on if the company tries to hold back important details in the name of security. Some details may need to be kept under wraps so a future breach isn’t made easier.

The question is, which details are legitimately too sensitive for public consumption and which ones need to be shared even if it makes the company look bad?

That’s the challenge: To reach a consensus on where the line is.

Since no two companies are exactly the same, I doubt we’ll ever figure out where the line belongs.

But for the sake of discussion, I felt it was worth bringing up.