Data breaches have become an unfortunate fact of life. But just because data breaches happen every day doesn’t mean your organization’s incident isn’t big news to be treated with extreme caution. While responding to a cyber incident, one misstep in PR can exponentially multiply the damage.
Here’s a look at some of the bad behaviors you’ll want to avoid:
Don’t just do the bare minimum.
Some companies try to keep a data breach relatively quiet by following only minimal legal requirements in the hope that it will explode. In fact, it is more likely to explode than to explode.
“Often, breach notices are only executed as a result of mandatory statutory reporting requirements, and these requirements can vary widely depending on the jurisdiction,” says Ryan R. Johnson, data privacy attorney and chief privacy officer at Savvas.
Johnson says some data breach notification laws in some US states set very narrow reporting standards such as a mandatory notification triggered when certain types of personal data are accessed by unauthorized parties. In comparison, other countries give organizations a broad leeway in the “harm risk approach,” which allows the compromised organization to decide whether it is necessary to notify clients.
“Simply put, it is up to the company to decide whether customers will be negatively affected by the data that has been compromised in the event of a breach,” Johnson says.
And don’t forget: some data breaches don’t involve personal information at all. Intellectual property violations, for example, can affect entire supply chains.
Don’t underestimate the potential harm.
It is rare to know the full extent of the damage during or immediately after a data breach. But hopes are often high that the breach is not as bad as it seems. Don’t start minimizing the damage in the initial disclosure to affected clients. If you do, you may face the worst situations later.
“Maybe the TJX administration in the United States will admit that its response to [breach of 45.6 million credit card numbers] “Things weren’t going so well in 2007,” says J.D. Sherman, CEO of password manager Dashlane. “While they were communicating in a timely manner, they downplayed the impact in their initial communications, making news that the hack was so much bigger that it would be hard to swallow.”
Don’t be taken advantage of.
“One terrible way to handle a breach situation, is to not deal with it at all,” warns Cassandra Morton, Senior Vice President of Customer Success and Service Delivery at NTT Application Security. Worse, the event was used as an opportunity to sell a series of new tools and services in an effort to correct the situation.
Don’t dangle from free services as a way out of the situation, either. After a 2017 breach that revealed Social Security numbers, dates of birth, and addresses belonging to up to more than 40% of the US population, they took their time to reveal that Equifax offers victims free credit monitoring (provided, ironically, by Equifax themselves ), but only if the victim provided their credit card number first and waived any rights to take legal action against the company. After public pressure from regulators and advocacy groups, Equifax later removed the arbitration clause.
Do not disclose too late.
After a data breach, time is of the essence. If notification – to regulators, law enforcement authorities, media outlets, and/or affected customers – is required by the regulators, your penalties can increase significantly over time. (The EU’s General Data Protection Regulation may require you to pass on news to authorities within 72 hours of it being discovered.)
Sometimes law enforcement investigations prevent you from immediately notifying affected customers, but don’t delay unnecessarily. Further harm could result from the use or sale of that data elsewhere. If you delay warning customers, third-party vendors, or others affected by a data breach, you are setting the scene for increased damage.
“The worst way to deal with notifications is to never send or be exceptionally late. This approach will immediately raise consumer distrust,” says Ron Tosto, CEO and founder of Servadus, a cybersecurity and compliance consultancy. “The message in the notice is that your organization is hiding something, and the information may contain false data inside.”
“There were examples of notifications two years after the incident and only after the investigation revealed that the finer details had been left out,” says Tosto.
The other way is to avoid blaming or giving false credit for complex hacking methods. Statistics show that breaches are common with uncorrected vulnerabilities for six months or more,” Tosto adds.
When credit bureau Equifax discovered a breach in 2017 that exposed Social Security numbers, dates of birth, and addresses belonging to more than 40% of the US population, they took their time to reveal them. Wait 40 days
However, if your company remains silent about the data breach unless the news media breaks with it and goes public, or if the news breaks and you still take your time to get those notification messages, you’ve likely created a PR nightmare.
“The worst way to deal with customer notification is for customers to hear about it in the news first, and then receive a notification — weeks or even months later,” Johnson says.
Fortunately, all these bad moves can be circumvented by relying on the golden rule.
says Megan Paquin, APR, CPRC, the company’s crisis management team leader and vice president of Poston Communications, Public Relations and Crisis Communications. “They understand that criminals are behind these attacks, but they need to feel confident that companies are supporting them when it comes to the privacy and security of their data.”
What to read next: