They can be a nightmare to deal with, but dealing with them is half the battle because the legal problems at stake in the event of a data breach can be devastating. The best way for a company to handle a data breach is to be prepared.
There are several things you can do to put your company in the best position for success such as drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams. Nevertheless, preparation also requires anticipating decision-points that are likely to arise in a breach. One way to inquire as to whether or not your company has done enough in this regard is research other data security incidents and breaches that were have handled over the years and identify the decision-points arising from those breaches that are most difficult.
Many of the areas where companies struggle involve management-level strategic decisions that must be made when a security incident is identified. For each decision to be made there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. While there may be no right or wrong answer, executives that have anticipated these decision points before a breach are better able to make decisions that align with the organization’s overall strategic goals and are able to do so with greater speed and confidence. No matter the size of a business, making decisions will always be required and the impact of a data breach is not always predictable; however, what you say at the right time really matters and we will discuss this briefly.
If an incident has not been fully investigated and a company makes a strategic decision to notify the public about a security incident before an investigation is complete, or if the existence of the investigation is leaked to the public before it is complete, companies must decide what to say about the incident at a time when little may be known. It is important for management to consider various factors when determining what to say about a security incident when a full forensic investigation is not complete:
It can be difficult to say anything substantive. Companies often have relatively little confidence in the accuracy of preliminary information about an incident. As a result, it can be near-impossible to have any level of confidence concerning substantive information disclosed about the incident.
Disclosing preliminary findings can be dangerous. Disclosing preliminary findings may inadvertently result in conveying information that is later determined to be inaccurate. For example, if a company notifies the public that its ongoing forensic investigation has not identified any evidence of a security breach, if evidence is uncovered in a week suggesting that a breach may have occurred the company will have to decide whether to immediately update the public (e., to rectify what is no longer accurate information). The company may also face potential lawsuits or investigations that seek more information about what the company knew as of the date of the initial disclosure.
Assuring the public can be dangerous. Companies often feel pressure to, at a minimum, assure consumers that their information is safe if they continue to do business with the company. If such an assurance is given, even if it is based on the best information available at the time, if it later proves inaccurate lawsuits or investigations may characterize the decision as designed to ignore possible risks.
Be aware that the releasing information about the investigation is only one of several steps associated with handling a data breach issue for a company. It is best practice to contact an attorney or professional security personnel to be advised of further best practices.