Data breaches have become an unfortunate fact of life. But just because data breaches happen every day doesn’t mean your own enterprise’s incident isn’t big news that should be handled with great care. During cyber incident response, one public relations misstep can multiply the damage significantly.
Here’s a look at some bad behaviors you’re going to want to avoid:
DON’T just do the bare minimum.
Some companies try to keep a data breach relatively quiet by following only the minimum legal requirements and hoping it will blow over. In reality, it’s much more likely to blow up than blow over.
“Oftentimes, breach notifications are only done as a result of mandatory statutory reporting requirements and these requirements can vary widely depending on jurisdiction,” says Ryan R. Johnson, data privacy attorney and chief privacy officer at Savvas.
Johnson says that some US states’ data breach notification laws set very narrow reporting parameters such as mandatory notification triggered when specific types of personal data have been accessed by unauthorized parties. By comparison, other states give organizations broad latitude in a “risk of harm approach,” which allows the breached organization to decide whether it is necessary to notify customers.
“Simply put, it’s up to a company to make the determination on whether customers would be adversely affected by data compromised in a breach,” says Johnson.
And don’t forget: Some data breaches don’t include personal information at all. Breaches of intellectual property, for example, could impact entire supply chains.
DON’T downplay the potential damage.
It’s rare to know the full extent of the harm during or immediately after a data breach. But hopes often run high that the breach isn’t as bad as it seems. Don’t start off downplaying the damage in your initial disclosure to affected customers. If you do, you may face a worst situation later.
“The TJX management in the US would probably admit that their response to the [breach of 45.6 million credit card numbers] back in 2007 did not go well,” says JD Sherman, CEO of password manager Dashlane. “While they communicated on a timely basis, they underestimated the impact in their initial communications, making the news that the breach was much larger even harder to swallow.”
DON’T be a profiteer.
“One terrible way to handle a breach situation, is to not handle it at all,” warns Cassandra Morton, senior vice president of customer success and service delivery at NTT Application Security. “Even worse is to use the event as an opportunity to sell a series of new tools and services in an attempt to course correct the situation.”
Don’t dangle free services as a way to get out of the situation either. After its 2017 breach that exposed Social Security Numbers, birth dates, and addresses belonging to what amounted to more than 40% of the US population, they took their time disclosing that Equifax offered victims complimentary credit monitoring (provided, ironically, by Equifax themselves), but only if the victim first provided their credit card number and waived any rights to take legal action against the company. After public pressure from regulators and advocacy groups, Equifax later removed the arbitration clause.
DON’T disclose too late.
After a data breach, time is of the essence. If notification — to regulators, law enforcement, media outlets, and/or impacted customers — is mandated by regulators, your penalties can increase substantially as time drags by. (The European Union’s General Data Protection Regulation may require you to break the news to authorities within 72 hours of discovery.)
Sometimes law enforcement investigations will prohibit you from informing affected customers right away, but don’t unduly delay. More damage can result from the use or sale of that data elsewhere. If you delay warning your customers, third-party vendors, or others affected by the data breach, you are setting the scene for increasing harm.
“The worst way to handle notification is not sending at all or exceptionally late. This approach will immediately raise a level of mistrust by the consumers,” says Ron Tosto, CEO and Founder of Servadus, a cybersecurity and compliance consulting firm. “The message in the notice is that your organization is hiding something, and the information may have false statements within it.”
“There have been examples of notifications two years after the fact and only after an investigation revealed an omission of the exact details,” Tosto says.
“The other approach is to avoid is placing blame or giving false credit for sophisticated hacker methods. Statistics show breaches are common with unpatched vulnerabilities for six months or more,” Tosto adds.
When credit bureau Equifax discovered a breach in 2017 that exposed Social Security Numbers, birth dates, and addresses belonging to what amounted to more than 40% of the US population, they took their time disclosing it. They waited 40 days
However, if your company stays quiet about a data breach unless and until the news media gets wind of it and publicly announces, or if news breaks and you still take your time getting those notification letters out, you’ve likely created a public relations nightmare.
“The worst way to handle customer notification is for customers to hear about it in the news first, then get a notification — weeks, or even months later,” says Johnson.
The Golden Rule
Fortunately, all these bad moves can be circumvented by simply relying on the Golden Rule.
“Customers often become angry with and lose trust in organizations that are not transparent, communicate no action or play a victim,” says Megan Paquin, APR, CPRC, leader of the firm’s crisis management team and vice president of Poston Communications, a PR and crisis communications firm. “They understand that criminals are behind these attacks, but they need to feel confident that businesses have their backs when it comes to their data privacy and security.”