Disclosing a data breach is never something an organization wants to do, but the consequences of neglecting that responsibility can cause far more damage than taking the appropriate action.
Earlier this month, Uber’s reputation was damaged again after news broke that the company was being sued by the state of Pennsylvania after failing to properly disclose a data breach from last year. As Uber has learned, failing to disclose a data breach has become just as newsworthy as the attack itself.
When it comes to data breaches, it is important to remember the lessons we all learned as kids. We must take ownership of our mistakes, be willing to tell the truth—even if it’s hard- and be proactive (rather than trying to sweep the breach under the proverbial rug).
Is it possible to disclose a data breach in a way that doesn’t damage your reputation? The answer is yes. But, to do so, it’s important to know both the reasons you would need to disclose a breach, along with any best practices for notifying the appropriate stakeholders.
Reasons Organizations Should Disclose Data Breaches
As with many cybersecurity-related issues, specific regulations have been put in place to dictate how organizations should disclose a data breach. Those regulations fall into three main categories:
- Federal Regulations—The US government has specified breach disclosure requirements for certain types of data. For healthcare organizations, HIPAA regulations outline how organizations should respond when patient health information is compromised. Financial institutions should follow FFIEC requirements for data breach disclosures.
- State Regulations—California was the first state to create a law regarding data breaches in 2002. Today, 48 states have created a set of laws and regulations that define protected data and dictate how organizations should respond to data breaches affecting state residents. Many of these states also specify safe harbor provisions for encrypted data.
- Industry-Specific Regulations—Some industries have specified their own set of requirements when it comes to managing a data breach. For retailers and businesses, there are specific PCI compliance regulations that create the obligation to disclose information related to a breach if credit card data is compromised.
When it comes to determining whether you should disclose a data breach, it’s important to know the applicable regulations. It’s also a must to know the specific laws of the states in which you conduct business. For example, last year in Tennessee, the state government modified its breach notification requirements related to safe harbor for encryption.
How to Disclose a Data Breach
While many organizations are trying to put the right cybersecurity best practices in place, data breaches still occur. If you are an organization that happens to experience a breach, here are a few best practices when it comes to notifying appropriate stakeholders:
- Immediately work to remediate the issue. Once you’ve learned that a breach has occurred, the best immediate response is to work to resolve the issue and protect your data. Not only will this help limit the damage, it will also give stakeholders confidence that you’re working to resolve it.
- Disclose as soon as feasible. When a data breach occurs, people inevitably look for more information. They hear news from friends or read an article online, and they’re curious. Controlling the narrative by making factual information readily accessible is enormously important.
- Be honest and accurate. There’s always a temptation to downplay an incident or provide misleading statements to save face. It’s good to avoid statements which can be misleading or unclear. Instead, focus on providing accurate information that will provide interested and affected parties with the details they need in order to protect themselves, and that will help maintain trust with stakeholders.
- Commit to continual updates. The worst thing you can do is notify stakeholders, and then go dark. Make sure they are aware that you will continue to update them on the breach and the steps you’re taking to address it until the damage is completely resolved.
Be Proactive Before the Breach
Data breaches are never a pleasant thing to deal with, either as an individual victim or as the company that lost the data.
The best thing you can do in regards to a data breach is to start preparing today. This means conducting regular cybersecurity risk assessments to ensure you’re doing everything you can to prevent a potential breach. It also means proactively creating a computer security incident response plan that outlines exactly what to do if a breach occurs.
Whether you’ve just experienced a breach or looking to proactively prepare, our team at LBMC Information Security can help. We’ve created a diverse team of experts who know your specific industry and state regulations. We can help you put a plan in place to minimize the impact of a breach, help you triage a suspected incident, and guide you to take steps towards maintaining trust with customers, patients, or other stakeholders.