You can barely throw a rock on the Internet these days without hitting a piece of advice on the best way to prevent a data breach. Yet, any organization that falls victim to such an attack is likely to find little guidance about the next steps to take. What’s the most appropriate way to share the news about a security incident?
Know Your Audience
The key in finding the best approach to take is to first understand that the message may have to vary slightly depending on the recipients to address their pain points and concerns:
- Consumers worry about their privacy. Will they need to switch banks? Cancel cards? Should they continue doing business with the affected company?
- Regulatory bodies like the Federal Trade Commission will want to verify that the technical aspects—like fulfilling any statutory obligations—of the announcement meet certain standards.
- Banks will want details about how the affected company will address the costs for issuing new cards to consumers.
- The board and the shareholders are more concerned about company worth and viability, and how or if such an incident compromises an organization’s value.
Given this is just a cross-section of those who might be affected by a data breach; it is easy to see how any official message must be tailored according to the audience.
Tips for Taking the Plunge
Once it’s time to explain, remember that honesty is the best policy… with these tips:
- Find the right balance between planning when and how to discuss any cyberattack with those affected, whether that means shareholder or cardholder. Some companies have found success with making an initial limited disclosure, then releasing more details upon investigation completion, but don’t deliberately downplay the gravity of the situation either. Also, comply with all mandatory disclosure timelines.
- Remember that language is everything. A “cyberattack” suggests an unforeseen and unpredictable outside force, while a “data breach incident” subtly implies that the company is at fault. Choose every word carefully.
- Know your rights. Reporting information to the authorities may negate the protective status of attorney-client privilege. Although cooperation with law enforcement is a must, do so with the guidance and advice of counsel rather than disseminating information too quickly.
- Remember that excessive compensation isn’t a must. Although offering a type of loyalty reward, like free credit monitoring, as a gesture of thanks to affected customers is understandable (and often appropriate), going overboard with an offer that’s disproportionately generous can seem suspicious in an overly culpable kind of way. Always weigh the considerations of such offers against the possible costs.
- Don’t be afraid to involve forensics consultants as part of damage control. Digital evidence can uncover any indicators that could point to a preventable security compromise. Or, proof that could absolve an affected company completely.
Although any data breach incident—ahem, cyberattack—can feel like a PR nightmare, it doesn’t have to be. Going public with a data breach can be handled with professionalism and grace, as long as a solid strategy is set in place before any information is released about the incident.
Written by Dean Van Dyke
Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.