When Should a Data Breach be Made Public?
We are in the midst of a golden age of hacking. Data breaches are an increasingly common occurrence, impacting small businesses and multinational corporations alike. The question for most companies now is not whether an incident will occur, but when it will occur.
Defending against cyber intrusions is the duty of everyone who processes information. Yet increasingly that defense should be viewed as stemming the tide of the inevitable rather than an absolute wall against intrusions. Given this state of affairs, it may be time to consider the reaction to cyber attacks as an intrinsic part of the security equation.
While every company will put their main effort into preventing a cyber intrusion, consumers and regulators alike are starting to pay more attention to the reaction once an attack has occurred. It is this post-attack period where a delicate dance often starts to play out on the public relations side. Companies face a difficult choice about when to release information about the attack – or even acknowledge an attack in the first place.
The regulatory and legal consensus on this is still evolving. Most US states require that companies report a data breach within thirty days of learning about it. The European Union, always upping the ante on protection of personal data, recently announced a reporting deadline of just seventy-two hours. The President has put forward a formal suggestion requiring companies of a certain size to report on data breaches “without undue delay”, with a thirty day limit. Some of these policies require reporting only to government officials, but others go further, requiring an accounting to effected individuals as well.
Transparency is usually considered to be desirable, but is it in this particular case? It depends on your point of view.
Companies often have good reasons for keeping cyber attacks secret. First and foremost, they want to fix the problem before revealing any back door into their systems. It might make sense to reveal a weakness to a government authority, which may have the resources to help with the problem. Yet a public disclosure runs the risk of actually opening the door to further damage. From a strict public relations angle, it also makes sense to tell the public “we had an issue, but it’s fixed” rather than “we still have a problem”.
Instinctively, consumers want to know about a data breach as soon as possible. The reasoning is that this will allow for some sort of action – a credit monitoring service, getting a new credit card number, or some other remedial form of protection. Yet in practice, most consumers have very little idea what to do in reaction to a data breach. Knowledge is only power if you know what to do with it, and in this case most people don’t have a clue how to truly protect themselves.
When it comes to data breach response, there may be a difference between the politically and socially acceptable (reveal as much as possible, as soon as possible) versus the most effective response (deal with the threat first).Of course, none of this is hard and fast. The circumstances, scope, and depth of cyber attacks vary widely – and so should the response. It is instinctual to create standards and best practices in situations where problems so regularly occur. Yet cyber attacks defy a one size fits all approach when it comes to publicity. As counterintuitive as it may sound, regulators may have an interest in keeping the situation fluid.