The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.
Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.
Many of the areas where we have seen companies struggle involve management-level strategic decisions that must be made when a security incident is identified. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities.
While there may be no right or wrong answer, in our experience executives that have anticipated these decision points before a breach are better able to make decisions that align with the organization’s overall strategic goals and are able to do so with greater speed and confidence.
Part 1: When To Disclose An Incident.
Situation. Some types of data security incidents are relatively easy and quick to investigate (e.g., sending an Excel file to the wrong party). Other types of data security incidents can lead to complex forensic investigations that may take a significant amount of time to determine whether a breach occurred, and, if so, how an attacker infiltrated an organization’s network and exfiltrated data. For example, many credit card related security incidents require two or three months for an investigator to determine whether there has been a breach and, if so, the extent of the data lost. In situation with relatively long forensic investigations companies can struggle with whether to (1) proactively inform the public/third parties that the company is investigating an incident that may ultimately be a data breach, or (2) wait until the forensic investigation is concluded and a breach has been confirmed prior to issuing a public statement.
Some Strategic considerations: Management typically considers the following factors when determining whether to disclose a security incident:
Pros of early disclosure.
1. Disclosing a security incident early (g., when it is first identified) can avoid allegations that the company withheld information about a breach from the public.
2. Disclosing a security incident early can permit the company to shape the message and increases the likelihood that the information that is released about the incident is accurate and non-speculative (e., not coming from a third party that does not have any real information concerning the incident).
3. If the company decides not to disclose an incident early based on the hope that a full investigation may provide management with more complete information (g., did a breach actually occur? When did it first occur? What was the size? Is data still vulnerable?) management should realize that there is a strong likelihood that the press will leak the existence of the incident before the investigation is concluded.
Cons of early disclosure.
1. Companies often have relatively little confidence in the accuracy of preliminary information about an incident. As a result, disclosing too much information too early may inadvertently result in conveying information that is inaccurate in retrospect.
2. If you inadvertently disclose preliminary information that turns out to be incorrect, it increases the likelihood that your company will be the target of litigation or a government investigation focused on a deception or fraud theory.
3. If you disclose preliminary information that needs to be updated as the investigation progresses you can inadvertently create several news cycles about a security incident that might, on its own, have generated relatively little publicity.