Back to Insights
After the Breach: Making Your Response Count
October 19, 2016 | Data Breaches
By Adam Shostack, IANS Faculty
It’s a cliché to say it, but there are two kinds of companies: those that know they’ve been breached, and those that have yet to figure it out. And after you’ve been breached, your customers are going to judge you.
They won’t really judge you for the breach. They’ll be upset, sure, but most people understand that breaches are now a fact of life. Mistakes happen, and bad people take advantage of mistakes and control failures. What you’ll really be judged on, though, is how you respond. That is under your control, and how you perform under stress says a lot to your customers, partners and investors. Do you show integrity and compassion, or do you hunker down and lash out? Do you eat some humble pie or point fingers?
How you’ll perform under stress is a function of who you are as an organization, and it’s also a function of how, and how well, you prepare for these events. Do you conduct tabletop exercises that include security, operations, legal and PR? Who’s the most senior person at the table as you run those exercises? Going through a breach is hard for the technical responders, and it’s emotionally difficult for leadership.
Your lawyers will tell you to say nothing. They’ll say that everything needs to be done under attorney direction so it’s privileged and that everything you say or do will be used against you in court.
I would never tell you to ignore your lawyers. I would however, encourage you to ask them questions. If you say nothing, will the media keep digging and asking questions? What happens if some of the documents are leaked, or the hack comes to light in some other way? Are there criminal or regulatory sanctions for covering it up? The Yahoo breach may be instructional here. The company’s multi-year delay in disclosing the issue, compounded with other factors, contributed to a sense of betrayal. Verizon has reputedly cut its bid by a billion dollars. I would also remind you that lawyers give you legal advice, which is just one component of how you form a business strategy (to be fair, good lawyers also give good business and strategic advice).
Tailoring Your Post-Breach Approach
Once you’ve made a mistake and owned up to it, many of your customers may want a little gesture. It turns out that credit monitoring has become a default answer, offered up as a routine gesture. And that’s a shame, because it’s often a hollow gesture. There are many breaches where it’s frankly unclear how it relates to the threat, such as breaches of credit card data. There are others, such as password breaches, where password re-use may expose other data, which eventually enables new account fraud. Even with breaches of SSNs, it’s not clear if attackers move quickly or sit on the data for a year or three. After all, my social security card didn’t come with an expiration date.
When Andrew Stewart and I wrote “The New School of Information Security,” we predicted that there would be a rise in useful services as a result of the rise in breach notification. That hasn’t come true yet, and I think that the availability of free credit monitoring as a matter of due course is partially to blame. Recently, I submitted a suggestion to the FTC that they do something about this. We’ll see what they do, but you don’t have to wait. In fact, some smart lawyers think that “credit monitoring should not be offered as a matter of due course, but rather in those situations where it truly may provide value to consumers.”
We can think about different offerings, and the time to do so is before the breach even happens. For example, if the possibility of a password breach exists, perhaps offer up a password manager license. If you have an SSN breach, perhaps you could offer assistance services for the next incident that consumer experiences. Sure, there’s some trickiness, and companies want to “close the books,” but maybe someone would take that responsibility off your hands.
Research has shown that making some sort of offering substantially reduces the risk of a lawsuit after a breach. It therefore seems reasonable to expect that a meaningful offer can not only help reduce the risk of a lawsuit, but help you improve your relationships with your customers, partners and investors as well.
Van Wyk: Doing Your IR Planning the Right Way
SEC Breach: What Happened and What to Do About It
IR Playbook: Take the Right Steps After a Firewall Breach
The Equifax Breach: What Happened and What to Do About It