According to the latest report from the Identity Theft Research Center, there were 1,802 data breaches affecting more than 422 million victims in 2022. In today’s volatile threat landscape, it’s no longer a question of if your organization gets breached, but when — and more importantly, how — you will respond.
So, while it’s certainly up to CISOs and other cybersecurity leaders to take the necessary steps to prevent data breaches, it’s just as much their responsibility to respond to them in the right way when they happen. We’ve seen how company leaders have mishandled these delicate situations, and we’ve witnessed the consequences. Sweeping a critical cyberattack under the rug, playing the blame game, misleading, or trying to sugarcoat the situation is an easy way to lose public trust and suffer reputational damage that’s difficult to come back from.
Best Practices After a Data Breach
By following a standard set of best practices, CISOs can put their best foot forward to earn back consumer, employee, and investor confidence when a threat actor slips through defenses.
1. Rapid reporting that goes above and beyond: In the United States, data breach reporting standards differ state by state. For instance, New York’s data breach notification law requires organizations to notify state residents of any unauthorized distribution of their personal information without reasonable delay. It also requires submission of the incident to the attorney general and other state government entities. If the breach affects more than 5,000 citizens, consumer reporting agencies must be alerted as well. Conversely, in some states, such as Mississippi, organizations aren’t required to alert any state government entities in the event of a breach. In fact, if an investigation reveals impacted individuals aren’t likely to be harmed by the incident, the organization does not have to alert them.
Regardless of where a company operates and what procedures it is legally compelled to follow, it’s imperative that its leaders go above and beyond to report any data breach incident. This means alerting relevant government agencies as well as any affected individuals, even if they’re not likely to be affected. To save face, many cyber leaders may be tempted to do the bare minimum when it comes to reporting, but full transparency is critical when responding to a cybersecurity incident. Otherwise, it can look as though companies have something to hide and they risk harming their reputation as well as losing the trust they have built with their customers.
2. Informing stakeholders with humility and honesty: When it comes to disclosing a cybersecurity incident to stakeholders, how the information is communicated matters. From affected individuals, to partners, to internal employees, all stakeholders should have a thorough understanding of the initial data breach as well as the investigation and remediation efforts.
Comprehensive post-mortem communications should include:
Anyone who discovers their personal data was released without their authorization will understandably feel frustrated by the situation, and an incomplete notification from the organization in question is likely to compound these negative feelings. A direct, transparent, and comprehensive communication straight from those responsible can go a long way. The right messaging can help victims feel empowered with information and give them the peace of mind that the company is working diligently behind the scenes on their behalf. It’s a good idea to have a full business continuity plan in place, providing a road map for CISOs to corral the necessary legal, customer success, public relations, and sales support needed for a cross-functional response.
3. Taking public accountability — the buck stops here: In August 2022, password manager LastPass suffered a significant data breach — but you wouldn’t know it based on the way the company talked about it. LastPass initially claimed the breach was “contained,” but just three months later an attacker accessed LastPass’s cloud environments and password vaults using information compromised in the initial breach. It’s fair to wonder whether downplaying the severity of the attack in its early days cost LastPass security teams valuable time that could have been used to change the critical login information that was later revealed to be compromised.
It’s not enough to privately inform affected stakeholders, or quietly and quickly patch the problem and move on. Organizational leaders must take the initiative to quickly release a public statement that assumes full responsibility for the situation. Rather than pointing fingers or attempting to downgrade the situation, this communication must take 100% accountability. To earn back public trust, especially amongst customers, investors, and employees, it should clearly outline the situation and how the company will avoid similar breaches in the future.
A poor public response to a cybersecurity incident can be damaging enough to reputations that company’s stock drops and customers flee. In the case of Twitter, had it publicly disclosed the API breach as soon as it was discovered, it may not have blown up into a PR nightmare. An honest and direct approach sets an example for good corporate citizenship that the public can count on — and remain loyal to. One study found that 25% of consumers have a zero-tolerance policy when it comes to unethical corporate behavior.
Consider a data breach an opportunity to “walk the walk.” After all, good businesses should always be guided by a strong moral compass, and a forthright crisis response is a critical component of fulfilling that mission.
The Right Data Breach Response Can Make a Difference
Data breaches are unfortunately no longer a rarity, and neither are disappointing corporate responses to these situations. Organizations must be prepared with a response procedure that is based on transparency, accountability, and humility. By being forthright about the situation, enterprise leaders can safeguard their reputations and earn back consumer trust.