Skip to content

Prompt Breach Disclosure Essential

June 27, 2018

At the RSA Cyber Security Conference this spring, a shocking double-standard was exposed in a survey of attendees regarding breach disclosures by access management company Thycotic.

Not shockingly, 84 percent expected an organization to notify them immediately if it suffered a data breach.

Shockingly, only 37 percent said they would notify their customers promptly if their organizations suffered a breach.

On second thought, when you see the blatant disregard for users’ privacy and PII by corporate America (think Uber, Equifax, Panera Bread breaches, etc.), the figure shouldn’t be that shocking.

Far too often, businesses in particular compound the inherent damage of a breach by covering up the facts as long as possible out of a greater concern for the company’s and executives’ reputations than their customers’ identities.

Of course, such foot-dragging in disclosing breaches never ends well for the company, as it claims a hefty percentage of sales in the immediate aftermath, a dramatic drop in stock price for publicly traded entities, causes a public relations disaster and lost goodwill, government investigations, and typically costs the CEO and key IT personnel their jobs.

Unnecessary butt-covering in disclosing breaches is why business owners are so often viewed as suspiciously as the hackers instead of like other crime victims.

Nevertheless, we get survey results like this one indicating the desire to cover up is stronger than the desire to do the right thing by customers and suppliers.

But, if ethical and moral considerations don’t motivate executives enough, perhaps increased regulatory pressure like the GDRP in the European Union or increasingly strict state disclosure laws across the United States will.

The GDRP requires companies doing business in the EU to disclose breaches within 72 hours of discovery. State laws also put a time limit on notifications. Federal legislators have even proposed a bill to jail executives who hide breaches.

Just from a moral and ethical standpoint, you should inform your customers and vendors, as well as the authorities, ASAP after a breach has been discovered and its breadth has been determined.

I’m talking days, not weeks or months. It will go much more smoothly, too, if you have developed an Incident Response Plan that lists those responsible for breach disclosures in your company — who contacts authorities, who handles customer / vendor / public notifications, public relations, etc.

Don’t be stupid and irresponsible with your breach disclosures when you become a victim. Be considerate and responsible and look out for your customers’ and vendors’ best interests too.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: