Key takeaways
- 55.2% of IT and cybersecurity professionals who experienced a security incident in the past 12 months say they were told to keep it confidential, even though they believed it should have been reported. That's according to Bitdefender's 2026 Cybersecurity Assessment, based on a Censuswide survey of 1,200 professionals across France, Germany, Italy, Singapore, the UK, and the US, at organizations with 500 or more employees.
- The U.S. had the highest suppression rate in the survey, at 68.6%. Germany and the UK followed at 57.2% each.
- This is not a fringe problem cooling off: the figure sat at 42% in 2023, spiked to 57.6% in 2025, and has only edged down to 55.2% in 2026. Bitdefender's own analysts call the plateau "arguably just as troubling as the initial spike."
- The pattern repeats regardless of seniority. Managers report being told to stay quiet at nearly the same rate (56.8%) as frontline practitioners (53.5%), which rules out "junior staff misunderstanding policy" as the explanation.
- Under GDPR, the 72-hour notification clock starts at the moment the organization becomes aware of a breach, not at the moment leadership signs off on disclosing it. A silence order issued during that window doesn't pause the clock; it just makes the deadline harder to meet legally.
More than half of the people whose job is to catch and report security incidents say someone told them not to. That is the finding, stated plainly, in Bitdefender's own 2026 Cybersecurity Assessment: 55.2% of respondents who had experienced a security incident or breach in the prior 12 months said they were instructed to keep it confidential despite believing, themselves, that it should have been reported.
The survey behind that number was run by Censuswide on Bitdefender's behalf between April and June 2026, as detailed in Bitdefender's press release, covering 1,200 IT and cybersecurity professionals, ranging from frontline practitioners to IT managers to CISOs, at organizations with 500 or more employees across France, Germany, Italy, Singapore, the UK, and the US. It's a large, cross-market, role-diverse sample, which is precisely what makes the result hard to write off as a one-country anomaly or a junior-staff misunderstanding.
If your team has ever been told to sit on an incident "until we know more," you already know how this plays out in practice. The instinct is to read it as an ethics story: individual managers making a bad call under pressure. It isn't. A failure rate this consistent, across six countries and every seniority band, is a governance design problem: a system that routes the decision to disclose a breach through the exact people who have the most reason not to.
What Bitdefender actually found
The topline number comes directly from Bitdefender's own reporting on the 2026 Cybersecurity Assessment. Regionally, the U.S. showed the highest suppression rate at 68.6%, with Germany and the UK tied at 57.2%. Bitdefender's analysts frame the multi-year trend as more concerning than the headline figure alone: the rate climbed from 42% in 2023 to 57.6% in 2025, and 2026's 55.2% is a plateau, not a reversal. As the company put it in its own analysis, "that plateau is arguably just as troubling as the initial spike," because it suggests the behavior has become an established pattern rather than a one-time overcorrection.
Bitdefender's take on the cause lands on culture, not policy text: "cultural change lags behind policy change." Organizations have adopted the disclosure regulations; they haven't changed the internal incentives that make disclosure feel dangerous to the person closest to the incident. The company's own framing of the fix is telling in what it doesn't promise a clean answer to: "changing behavior may require making disclosure feel less punishing. Or perhaps the opposite: making secrecy impossible to justify." That is a company that runs cybersecurity assessments for a living, conceding that policy alone hasn't solved this.
Why this is a design failure, not a character failure
Here is the mechanism worth sitting with: in most organizations, the person deciding whether a breach gets escalated is either the person who caused it, the person who manages the person who caused it, or the person whose department's numbers look worse if it gets reported. There is rarely a documented, independent escalation authority sitting outside that reporting line: someone whose job is specifically to receive breach reports and decide on disclosure without a stake in how the incident reflects on their own team.
Without that independent channel, "keep this quiet for now" isn't a rogue instruction from a bad actor. It's the predictable output of a system that gives disclosure discretion to people who are structurally incentivized to withhold it. The Bitdefender data bears this out: if suppression were really about individual ethics, you would expect it to vary sharply by seniority, since more senior people are (in theory) better trained on compliance obligations and less exposed to day-to-day blame. Instead, managers (56.8%) and practitioners (53.5%) report near-identical rates of being told to stay silent. The instruction is coming from somewhere structural, and it is landing on everyone in the chain roughly the same way.
This distinction matters because it changes what the fix looks like. An ethics problem gets solved with a training module and a code-of-conduct reminder. A design problem gets solved by removing the discretion: building a workflow where the decision to escalate doesn't pass through anyone who has an incentive to sit on it.
Bitdefender's finding isn't an outlier data point either. A separate 2026 survey of 2,350 CISOs, AppSec managers, and developers, commissioned by Checkmarx and fielded by Censuswide across 14 countries, found that 95% of CISOs feel pressured to suppress or delay compliance-related security issues when a business deadline is at stake. Two independently run surveys, using different questions and different respondent pools, land on the same structural pattern: the people positioned to catch a problem early are also the people facing the most pressure to make it disappear before it becomes visible.
How this compounds regulatory risk
Silence has a shelf life, and regulators do not measure that shelf life from when leadership finally agrees to disclose. Under GDPR Article 33, the 72-hour notification window to the relevant supervisory authority starts when the controller becomes "aware" of the breach, defined by the European Data Protection Board's Guidelines 9/2022 as the point of reasonable certainty that a security incident occurred and personal data was compromised. An internal instruction to keep an incident confidential doesn't move that starting line. It just eats into the clock the organization has left to comply, and if the 72-hour deadline is missed, Article 33(3) requires the notification to be accompanied by reasons for the delay, reasons that are considerably harder to write when the true one is "an employee flagged it and was told not to escalate."
U.S. state breach laws compound the same exposure differently. There's no single federal clock, but the trend among states is toward shorter, harder deadlines: California's SB 446, effective January 1, 2026, requires notification to affected residents within 30 calendar days of discovering a reportable breach, with an even tighter 15-calendar-day window to notify the state Attorney General after individual notice goes out. Twenty states now specify a numeric consumer-notification deadline (ranging from 30 to 60 days), and internal delay caused by a "let's not report this yet" instruction erodes that runway just as it erodes GDPR's. An organization operating across the EU and multiple U.S. states can be running several of these clocks simultaneously, all started by the same discovery event, all indifferent to whatever internal conversation happens before someone decides to act on it.
The regulatory backdrop is getting less forgiving of delay, not more. DLA Piper's own analysis of European supervisory authority data found that European data protection authorities received an average of 443 breach notifications per day in the year to January 2026, a 22% jump from 363 the year before and the first time the daily average has passed 400 since 2018. Regulators are processing more notifications, comparing more of them against each other, and have more practice spotting a late one. Reporting a breach 40 days after discovery because it sat in an internal debate about whether to say anything is a harder story to tell a regulator this year than it was two years ago.
This is also where the GDPR fines and penalties exposure compounds rather than simply adds: failure to notify within 72 hours is treated as a separate compliance failure from the underlying breach itself, meaning an organization can face enforcement for the cover-up on top of whatever penalty the breach already carries.
What a defensible internal escalation policy actually requires
A policy document that says "employees should report security incidents promptly" is not a defensible escalation policy. It's a sentence with no mechanism behind it. Three elements separate a policy that survives regulatory or reputational scrutiny from one that doesn't.
Named decision authority independent of the incident's origin. The person or role authorized to decide on escalation and disclosure cannot be the person who caused the incident, their direct manager, or anyone in the reporting line whose performance metrics are affected by the outcome. Data governance frameworks generally recommend that confirmed breaches or unauthorized-access events skip standard tiered triage entirely and route directly to a predetermined senior authority — a DPO, a dedicated incident lead, or an equivalent role with no stake in the outcome. If that authority isn't named in writing before an incident happens, it gets improvised during one, by whoever is most senior and most exposed.
Protection from retaliation for the reporting employee. This is the piece most policies skip entirely, and it's worth being precise about what legal protection actually exists versus what most companies assume exists. In the U.S., the Sarbanes-Oxley Act protects employees at publicly traded companies who report activity they reasonably believe constitutes securities fraud. It does not create a general shield for every employee who flags a data breach at a private company. That gap is exactly why an internal policy has to do the protective work statute doesn't: a written commitment, enforced in practice, that reporting a suspected breach cannot factor into performance reviews, assignments, or termination decisions, with that commitment sitting with the same independent authority named above rather than the reporter's own chain of command.
A documented timeline that starts at discovery, not at internal sign-off. The policy needs to record the moment of discovery as its own timestamped event, separate from and prior to any internal discussion about whether or how to respond. If the only timestamp your organization can produce after the fact is "when legal signed off on the notification," you have no record of how much of the regulatory clock was consumed by internal deliberation. That is precisely the detail a regulator asks for when a notification arrives late.
Where discretion gets removed from the process
The common thread across all three requirements is that they only hold up if they're structural rather than aspirational: the workflow itself, not a manager's judgment in the moment, has to determine what happens next. This is the practical argument for handling incident intake through a dedicated system rather than an email thread or a verbal chain of command: a workflow can't quietly skip a step the way a person under pressure can.
Secure Privacy's Incident Management module is built around that principle. Incidents get logged and classified by severity and affected data category at the point of discovery, which timestamps the clock's actual start rather than whatever date ends up in a final report. From there, the platform triggers notification workflows aligned to the applicable regulatory timeline (GDPR's 72 hours or the relevant state deadline) rather than waiting on an internal decision about whether to start that process at all. Response tasks get assigned and tracked across teams instead of living in one manager's inbox, and every incident lands in a persistent breach register with detection and containment dates recorded, producing the exact audit trail a regulator asks for if a notification arrives later than it should have.
None of that replaces having a named, independent decision authority; a platform doesn't fix an org chart. What it does is remove the quiet, undocumented off-ramps that let an incident get "handled internally" without ever generating the paper trail a regulator, or a board, would expect to see. If the workflow logs discovery automatically and starts the compliance countdown without waiting for permission, "we decided not to escalate yet" stops being an available option.
If your organization can't currently answer who has independent authority to decide whether a breach gets reported, that's worth surfacing before an incident forces the answer. A Data Protection Management System that formalizes incident response alongside the rest of the privacy program is the more durable fix than a policy memo nobody re-reads until it's too late.
FAQ
What did the Bitdefender 2026 Cybersecurity Assessment find about breach transparency?
More than half (55.2%) of IT and cybersecurity professionals who experienced a security incident in the past 12 months said they were told to keep it confidential, despite believing it should have been reported. The finding comes from a Censuswide survey of 1,200 professionals across six countries, commissioned by Bitdefender and fielded between April and June 2026.
Is breach suppression getting better or worse?
Better than its 2025 peak, worse than a few years ago. The suppression rate rose from 42% in 2023 to 57.6% in 2025, before edging down to 55.2% in 2026. Bitdefender describes the recent plateau as a sign the behavior has become entrenched rather than an early-stage problem still being corrected.
Does GDPR's 72-hour notification clock pause if leadership delays approving disclosure?
No. The clock starts when the organization becomes "aware" of the breach (the point of reasonable certainty that personal data was compromised), not when internal sign-off happens. Any time spent on an internal decision about whether to disclose still counts against the 72-hour window under Article 33.
What is the fastest U.S. state breach notification deadline in 2026?
California's SB 446, in effect from January 1, 2026, requires notifying affected residents within 30 calendar days of discovering a reportable breach, with a separate 15-calendar-day deadline to notify the California Attorney General after consumer notice is sent. Several other states also use a 30-day standard.
Are employees legally protected if they report a data breach their employer wants kept quiet?
Not automatically, and not universally. Sarbanes-Oxley protects employees at publicly traded U.S. companies who report conduct they reasonably believe constitutes securities fraud, but it doesn't create a blanket shield for every employee flagging a suspected breach at a private company. That's why a written internal non-retaliation commitment, enforced by an authority independent of the reporter's chain of command, has to do work that statute alone doesn't.
What makes an internal breach escalation policy defensible rather than just aspirational?
Three things: a named decision authority with no stake in how the incident reflects on their own team or performance, an explicit non-retaliation commitment for the reporting employee, and a documented timeline that starts at the moment of discovery rather than at the moment internal deliberation concludes.




