My point is that data breaches and breach-disclosure laws are realities that affect each other and that companies need to think about carefully. They must work out precise and explicit guidelines long before they are in the thick of a real incident. To decide things on the fly, based on the particulars of each situation, is a recipe for inconsistency. You are letting the people who are in charge of preventing attacks decide when they have to tell the world about an attack — and the potential for embarrassment will influence their decisions, because they will be sure that the world is going to decide that they failed to do their job.
Look, keeping quiet out of a sense of shame can cost you a lot more than you realize — and everything will probably be disclosed in the end anyway.
Sign up for CIO Asia eNewsletters.