In the ruling about the TJX data breach, in which Albert Gonzalez was sentenced to 20 out of the 25 year prison sentence the government was originally seeking, JC Penny and one other company were ordered to disclose that they were a part of the data breach.
JC Penny argued that it was entitled to anonymity and did not want to alarm customers by being linked to criminal activity that did result in thefts from other companies. JC Penny had determined that, though their data was breached, no identity or bank-card data had been stolen.
You may wonder why, if no personal data was breached, the company was ordered to disclose the breach. The decision came down to a consumer right to be informed:
Most people want to know when their credit or debit card numbers may have been put at risk, not simply if, and after, they have clearly been stolen.
The presumption of disclosure has an additional significant benefit, though…. Knowing that card holders will be concerned whenever their credit or debit card information is put at risk, if they know of it, provides an incentive to companies to invest in the protections their customers would want. Transparency makes the market work in this area.
You can see, trust is an important aspect of consumer loyalty. Do you trust a company less if their security has been breached, irregardless of the information breached?