Cybersecurity Ethics

At an MLCE today and got this hypothetical:

Your Company learns that a bug in one of your apps could have provided bad guys with access to confidential user information, but you do not have evidence that anyone actually obtained such information. You’ve fixed the bug. Arguably, privacy statutes require the Company to make disclosure to users and/or regulators. Management makes decision not to disclose, because no indication of actual breach. Ethical issue?

The audience of lawyers split 75% / 25% (live polling) calling this an ethical issue. Fascinating.

Two points: (1) I think the right answer is no. If the statute “arguably” does not require disclosure (i.e. reasonable people disagree) then this is not an ethical issue. But also (2) this scenario is almost certainly true all the time for all companies with confidential user data and internet-facing systems. Should they all be disclosing all the time? Is that even realistic?

Just take a look at the National Vulnerability Database, do a blank search, and look at the security bugs listed today. Awful security bugs are being found, published, and fixed every day for every major application everywhere. If you have confidential user information and internet-facing applications, you may face this hypothetical every single day.