Breach Notification: Tackling the TimingBalancing Early Disclosure vs. Tardy Notification a Challenge
Following its Nov. 24 hack attack, Sony Pictures Entertainment has faced a barrage of criticism for failing to publicly describe the breach - or even comment on it - for several weeks despite high-profile news coverage.
Also, the United States Postal Service found itself defending its delay in notifying USPS workers of a breach that exposed employees' Social Security numbers, contending authorities didn't initially know what data was pilfered. The USPS learned of the breach in September and notified employees Nov. 10, leading members of Congress to ask why there was a delay.
And TD Bank was recently penalized by the Massachusetts attorney general for failure to comply with a state law that requires organizations to provide written notice of a breach "as soon as practicable and without unreasonable delay." The bank didn't provided notice of a March 2012 incident involving personally identifiable information until October 2012.
Clearly, an organization can face intense scrutiny, and perhaps government penalties, if it waits too long to issue a notification. But in determining the right time to issue a breach notification, organizations have to carefully weigh the risk of premature notification based on insufficient facts versus tardy notification that can have an impact on their reputation.
Of course, some organizations in heavily regulated industries, such as healthcare or banking, face specific federal requirements for breach notification, including the HIPAA breach notification rule and the Gramm-Leach-Bliley Act. In addition, in some cases, law enforcement officials will ask organizations to delay notification while a criminal investigation is continuing.
For other organizations, knowing when the right time is to provide notification of a breach isn't always a simple task. "Notification has become a much more complicated exercise because of the surge in data breaches and its impact on consumer attitudes and behavior," says Michael Bruemmer, vice president of Experian Data Breach Resolution.
It's more important than ever for organizations in all sectors provide prompt communication about a data security incident, says privacy and security attorney Ronald Raether of Faruki Ireland and Cox PLL. "For the company, the key communication piece initially is to say, 'We've stopped this from happening,'" he says. "We may not know how it happened, who's involved or whether information has left the company's systems, but we've stopped the bad guys and they are not still in the system."
An organization should begin notifying the victims of a breach once it's confirmed the incident, begun a forensics investigation and informed regulators, Experian's Bruemmer advises. Notification is merited "even if all the forensics details [such as scope of the data and number of affected parties] are not final," he says.
"Consumers want to hear directly from the breached company with an explanation and apology as soon as possible," he adds. "If decision-makers focus on the consumer first, they will be able to mend their relationship and regain the trust of their customers."
Still, while it's essential that notification be completed as early as possible, an organization should try to nail down some basic facts before it begins outreach, says Shirley Inscoe, an analyst at the consultancy Aite Group. "These facts include the number of accounts impacted, the data fields breached [name, address, Social Security numbers], as well as the period of time and locations where the breach occurred," she says. "Doing this makes it seem like the company fully understands what happened."
But many security experts say that organizations that fail to promptly provide at least preliminary details about a breach risk damage to their reputations.
"For me, one of the biggest lessons from the [Sony] attack is how important it is for the victim organization to communicate often and clearly on the breach," says Brian Honan, a Dublin-based information security consultant, in a recent SANS Institute newsletter. "The lack of information from Sony about the attack led to many wild speculations in various media outlets as to who is behind the attack and what their motivations are."
Some companies make the mistake of waiting until they have completed their investigations to notify affected customers, according to Inscoe. "In some cases, that is just too late," she says. "Consumers may have already experienced the fraud on their cards, e-mail accounts or whatever is applicable."
If the scope of a breach is difficult to assess during an investigation, an organization is better off providing a "sweeping" notification early on, rather than one that underestimates the impact, says Al Pascual, director of fraud and security at Javelin Strategy and Research. "Among consumers, public officials and shareholders, the immediate reputational damage of a breach of a million records is no different than that of 3 million, 10 million or 20 million," he says.
"A breached organization can provide more specifics over time, but it is better for their reputation if they amend the number of records affected downwards than vice versa."
And a vital step in preparing for prompt notification is for organizations to spell out in advance a communications plan they can rely on if they're victimized by a breach. "The [communication] plan is obviously going to be addressing the concerns of the consumer, but it's also going to demonstrate to all the different audiences [investors, regulators] that the company has the issue in hand and under control," Raether, the attorney, says.
Downside to Premature Notice
If some basic details around a breach aren't confirmed before a notification goes out, the notification could have an adverse effect on an organization, as was the case with Target, Inscoe contends.
"They continued to change the facts over the course of several weeks," she says. "As examples, they raised the numbers of cards impacted and the types of data breached," which kept the company in the news and hurt their earnings for a longer period of time.
In contrast, she says, Neiman Marcus and others delayed their announcements to provide more concrete details upfront. "These companies seemed to totally escape consumers' notice because Target was still in the news," Inscoe says.
Because states have widely varying laws governing breach notification, and the nation still lacks a national breach notification law, organizations need to take steps in advance of a breach to comply with state requirements, says Brian Lapidus, practice leader of identity theft and breach notification at Kroll Advisory Solutions.
"Understanding ahead of time where your customers reside, which breach notification laws you are subject to and which vendors you will be working with will be extremely helpful if a security incident occurs," he says.
Organizations also should take inventory of the data they store and which laws are applicable to that data if it is compromised, Lapidus stresses.
Demonstrating Proper Response
An organization should be able to demonstrate that it was responding to an incident appropriately in the time leading up to an official notification announcement, say Kroll's Lapidus. That includes showing that an organization executed its incident response plan and was conducting a thorough investigation. "[This] fairs far better in the court of public opinion than when the tardiness [of a notification] comes as a result of a breached business scrambling to put something together," Lapidus says.
One practice Raether recommends is clearing a breached company's notification letter with the attorney general in the state(s) where most victims reside. That way, government officials are aware of the timing of the announcement, he says.