O wad some Power the giftie gie us
To see oursels as ithers see us!
It wad frae monie a blunder free us…
Robert Burns – Scottish poet
One of the most critical, and apparently undervalued, aspects of response planning and preparation is communication. Credit reporting bureau Experian retained the Ponemon Institute to survey executives in the United States about how prepared they think their companies are to respond to a data breach. One of the findings that stood out … 67 percent do not believe their organization understands what needs to be done following a material data breach to prevent the loss of customers’ and business partners’ trust and confidence.
How a company is perceived as managing its response to a breach will either raise or lower the cost to its reputation. Stakeholders’ expectations about what constitutes effective response are continuing to evolve. Their perception will be shaped by the actions the company takes and the way those actions are communicated. It is imperative that a cyber incident response plan spell out actions that will be taken including the way information will be shared, and identify specific roles for the individuals who will have responsibility for managing and executing the communications effort. This includes both internal communications, beginning with the notification process (When do you inform the CEO? When do you notify the board of directors?) and external communications to various stakeholders.
Companies are wrestling with the question of when to communicate in the aftermath of a cyber attack. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. The time requirements vary from state to state. The White House and several members of Congress have proposed national data breach notification standards. The European Union currently is working toward imposing a standard that requires notification of parties affected by a data breach “without undue delay.”
The mandatory disclosure requirements are only part of the picture. From the moment a data breach is discovered, the clock starts ticking. Companies seldom will have a complete picture of the scale and scope of the attack or reliable attribution identifying the perpetrator(s) and their intentions. Depending on the nature of the business, there will be both federal and state regulations to consider, as well as a host of sometimes competing imperatives. There will be voices suggesting the prudent course is to wait to disclose a breach. But waiting carries its own risk. The National Consumers League sponsored a study of data fraud victims, exploring their attitudes, experiences and perceptions. Carried out by Javelin Strategy & Research, the study found that breaches gravely affect consumer confidence. Significantly, nearly 90 percent of the victims felt that businesses should notify affected consumers immediately when a breach is discovered. As the adage goes, bad news doesn’t get better with age.
For every breach there is a range of potential damages, each of which will extract an economic cost. In virtually every instance, the single biggest damage potential lies in the damage that can be done to the corporate reputation and brand. According to a recent report from Deloitte, “almost 90 percent of executives surveyed by Forbes Insights in 2014 on behalf of Deloitte say that reputation risk is their key business challenge.” Meeting that challenge during a data breach crisis requires aggressive outreach. A company that can learn from the mistakes of others will distinguish itself during a cyber crisis by seizing the opportunity to aggressively engage with its customer base and other stakeholders, and thereby solidify its relationships and reputation.
By Tom Davis, SDI
May 19, 2015