Gartner Blog Network

Don’t ask, Don’t tell – when it comes to breach disclosure

by Avivah Litan  |  November 30, 2010  |  1 Comment

I was having a conversation with a colleague today who reminded me of the new meaning of  ‘Don’t ask – don’t tell’ when it comes to breach disclosure.

I actually heard this theme from health care clinics and companies in response to some of the new health care reform acts, including the one that addresses electronic health care records.

That is, according to the new laws, health care companies must disclose breaches that they discover. But if they don’t discover them, they don’t need to disclose them.  I had one health care clinic tell me that a sister-hospital had a proof of concept test with a vendor that monitored access to their systems for abuse, misuse, and assorted types of information leaks. They were shocked by the misuse and abuse that was uncovered and told the vendor to go away and not come back. They didn’t want to know about the incidents because they didn’t want to disclose them.

So much for government incentives.


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Thoughts on Don’t ask, Don’t tell – when it comes to breach disclosure

  1. […] This post was mentioned on Twitter by Tom Field and Uptime Devices, Avivah. Avivah said: Don’t ask, Don’t tell – when it comes to breach disclosure […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.