When a data breach occurs, the affected organization has a number of steps that they have to follow as part of their response to the event. When the breach is finally publicly announced, one of the first questions from customers and the general public is, “when did this happen?” The answer to this question varies, but when it has been more than a few weeks since the data breach event occurred, the public typically wants to know why they weren’t notified sooner, why the breach wasn’t detected sooner and what else the organization is keeping from them in the midst of such an occurrence. Simply put, the delaying of a public response after a breach can be a PR nightmare.
One example of a delayed public response lies in the data breach event at the credit reporting agency, Equifax, last year. The security team at the bureau discovered the breach on July 29th, 2017, but did not disclose it until September 7th – nearly six weeks later. Prompt public disclosure after a breach is more complicated than it appears, because while organizations have a responsibility to inform those affected by a data breach event, they are also required to notify regulatory bodies as quickly as possible and have all of their facts, information and recovery plans set in place before they can craft their public message.
So how long should public response to a breach take? And what should it look like? The answer to this question varies, but the general idea is that it should be done as quickly as possible while still being as careful as possible in creating the message that will be shared. It is crucial to notify affected parties in a timely manner, because they need to be able to deal with the potential effects that a major data breach event may have on them. However, announcing the breach too soon with not enough information or in an unprofessional manner can cause additional problems as well.
Last month, communications giant T-Mobile announced that they had discovered an “unauthorized capture of data” in which hackers stole names, billing zip codes, phone numbers, email addresses, account numbers and account types of customers. The breach was discovered on a Monday, and the company began notifying customers on Friday of the same week. They chose to do so through text messages sent only to affected accounts, and this technique drew some criticism and even caused some confusion. The brief text message included a quick description of the event and a shortlink to click on for more information, which some people felt looked more like a phishing message than a legitimate announcement. The company’s attempt to share their fast cyber security response ended up looking more like a cyber security risk.
While there are really no clear guidelines or laws regarding exactly how soon a company must disclose a data breach or how much information they need to share upfront, it is clear that customers and the general public expect a timely and informative response. Businesses can achieve this by having a solid data breach response plan, and insurance agents can help businesses by offering cyber liability insurance that extends beyond just coverage and includes risk management assistance to take them step by step through data breach protection and recovery.
About Connected Risk Solutions
At Connected Risk Solutions, we use our expertise and experience to provide insurance information and programs to those who serve long-term care and senior living facilities. Since 2007, we’ve been offering insurance and risk management plans designed to help our agents give their clients the ability to achieve continued growth while simultaneously protecting against loss, containing costs and increasing profitability. To learn more, contact us at (847) 832-9100.