One of the non technical issues businesses face during a data breach is media obligations. There are many regulatory bodies such as HIPAA or GDPR that require you to inform your customers and business partners when a cybersecurity incident occurs. However, this can be difficult because many businesses are worried about the effect that this can have on their business’s reputation, potential loss of business and overall seeming incompetent in the media.
On average 29% of businesses that suffer a data breach end up losing revenue and of that 29%, 38% experienced a loss of revenue of at least 20% or more. Being able to properly handle media obligations, notification requirements and framing things the correct way is an important thing to understand when you’re going through a security crisis. Here are some key tips to ensure that you minimize the negative impact in the media when you have a security breach that you are required to report on:
Understand Your Reporting Obligations
Depending on your Company's Industry and area you will have specific requirements on who you need to notify when a data breach occurs. There are four things you need to be aware of are:
1) Who needs to be Notified: This will usually include a regulatory authority for your industry, impacted customers, third party vendors and anyone else whose information has been impacted or who may be at risk as a result of the data breach.
2) Be aware of your Timeline: There are almost always time restrictions that mandate when you need to inform each group. In order to be compliant with the law you need to be aware of this.
3) Know the Medium you should use: According to the laws that govern your business you may be required to use certain communication mediums such as email, mail or phone call. It's important to know which options are available to you before sending out the notice.
4) Know the areas you do business in: The laws governing your breach notification requirements are not just based on where your business is operating. It is also based on where your customers live. For example if your business is based in California but you collect consumer information in Florida, you are subject to the laws that govern consumer information in Florida.
Fortunately, many different companies have online databases that outline notification requirements in different areas. In order to make sure you are fulfilling your requirements I would suggest using multiple sources and preferably state/government sources to identify your requirements. To get started here is a website that has breach notification requirements across all US states. For Canada, you can start your search here.
How To Deal With The Media
Once you have identified your notification requirements and the groups of people that need to be informed, you need to figure out the best way to approach it.
Avoid making absolute statements: Keep in mind, once you put information out there it is there forever. Going back on what you’ve said in the past can make you look incompetent and will make people doubt what you have to say going forward. Avoid the temptation to say things like “there was no data leakage” unless absolutely sure, instead saying something like “we have found no evidence of data leakage and we will continue to give out updates as new information becomes available” gives the same information but gives you more wiggle room if you find out later on that people’s information was leaked. Try to avoid using absolute statements, especially early on.
Make yourself easy to find: Once you have announced a data breach many consumers and businesses will be looking for information on how this situation affects them. It’s a good idea to have a place where new updates on the situation are posted, so that this information is easily accessible. Usually this on a companies blog page, where updates are constantly added as new information comes in. You can also provide a number to a company representative for people to contact if they have specific questions, but the point here is to make sure you are easy to contact.
If applicable, reference other companies: If the attack that led to your data breach has affected other companies, I would suggest mentioning this during your initial announcement. In my experience, when multiple companies are breached by the same threat group, people tend to be more sympathetic. It’s less likely that they will see your company as being incompetent because it worked against multiple companies and it is harder for people to justify saying all the affected companies were incompetent. So making a statement like “ On September 1st 2020, we suffered a ransomware attack by xxxx threat group similar to the attacks against [company 1] and [company 2], this will make it easier for you to fly under the radar and seem more like an unfortunate victim then an incompetent company.
Understand your Business Partners Needs: When you’re communicating with your stakeholders it’s important to give them the information that they need. For example if you are a third party vendor to another company many times they need a statement from you saying that none of their customer PII has been leaked during the data breach. Consumers may be more concerned with things like their credit card numbers, social security numbers, name and addresses and other things that would affect them directly.
Don’t say too much: You don’t need to share the intricate details of your investigation with the public, this can lead to scrutiny of how you’re performing your investigation. You only need to share the results of what you’ve found and in private you can consult with the experts you’ve brought in to ensure you are going about the investigation the right way.
Offer Customer Protection: In order to mitigate the loss of customers it's good to offer customer services like credit monitoring. It helps to reduce the impact of stolen information for your customers and shows them that you care about them, which makes them more likely to continue doing business with you.
In order to properly handle media communications during a Cybersecurity breach you need to properly understand your notification requirements. These are local, national and industry specific. They outline who needs to be informed, set deadlines for when they need to be notified and outlines the acceptable means through which they should be notified. After an incident has occurred it is important to provide regular updates, make yourself easy to contact and try to minimize the impact of the data breach for customers and business partners.