There is a right way and a wrong way for an organization to handle a data breach. Unfortunately, they are sometimes the SAME way.
The consensus in crisis management is that it is always best to get in front of a bad news story by getting it out quickly so you can frame the story in your own terms and, hopefully, get it behind you sooner. In the recent Target data breach, the department store has been praised for its public acknowledgement of the breach, while also being criticized for being vague about the causes and minimizing potential consequences to consumers.
In 2011, VeriSign was widely criticized for failing to disclose a serious data breach that occurred in 2010. It only became public when it mention in an SEC mandated filing. That’s a heck of a way to treat customers that could be impacted.
On the other hand, a March 2011 study by the Ponemon Institute concluded that companies often disclose a data breach too quickly, before the causes and scope of the breach are understood. This can result in unnecessarily upsetting customers and others who were not actually impacted.
Interestingly, this study was sponsored by Symantec who happened to purchase the SSL Certificate business from VeriSign that may have been a victim of the 2010 breach. Because of this, Symantec and its SSL business lost a significant amount of credibility. SSL Certificates are used to ensure you can trust a web site you are visiting. If you can’t trust the Certificate Authority that issues the certificates, what good are they?
A critical factor to determine how quickly you go public with a data breach is the significance of the data being breached. In today’s digital world, Personal Identity Information (PII) can be used by criminals and those with malicious intent to cause serious fraud and harm. It doesn’t have to be a social security or credit card number to cause a person grief. If there is enough information to individually identify a person in a particular context, such as the owner of an SSL Certificate, serious harm can be done.
There definitely needs to be a middle ground between rushing the bad news out prematurely and doing absolutely nothing as VeriSign did. The key is to act quickly on a forensic investigation and to take appropriate action promptly once the facts are in hand.
Unfortunately, in our highly litigious society a firm may feel compelled to bring in the lawyers before they bring in a forensic technology expert. As anyone who has watched an episode of the old show “The Practice” knows, the first thing a good defense lawyer tells the accused is to shut up. That can be good advice when being prosecuted, but is a very bad business practice when dealing with customers and the public.
On the other hand, the legal landscape in this area is murky. Many states have passed laws regarding protecting personal information, some in general and some for specific industries such as health care and credit reporting. The “Data Accountability and Trust Act” has been stuck in Congress for several years. If ever passed, it could require notification of those affected by a data breach with 60 days of the incident.
Of course, the best thing to do is to prevent the breach in the first place. A 2012 Verizon report found that most data breaches could have been prevented if the victims had simply implement firewalls and used antivirus protection. Why take such chances when Comodo provides antivirus protection that guarantees you will never be harmed by a virus?