Ted Kobus, co-leader of BakerHostetler’s Privacy and Data Protection team, advises on risk management, compliance, incident response strategies, and regulatory and class action defense. He has led more than 750 incident responses, is ranked in Chambers USA, and was named an MVP by Law360 for Privacy/Consumer Protection. He is currently representing Premera Blue Cross Blue Shield in incident response, law enforcement investigation, legislative inquiries, regulatory investigations, and the over 20 class action lawsuits filed to date.
Only five months into 2015, several high-profile data breaches have already affected nearly 100 million people, and this apparent data breach epidemic shows no signs of slowing down. As the fallout from these breaches continues to unfold, organizations not yet affected should take this opportunity to study these incidents and assess their own preparedness to deal with a similar event while they still can.
However, even the most rigorous breach preparations can be undercut by one crucial aspect of breach response: communication. When it comes to data breaches, perception is reality. Regardless of how diligent, thorough, or prepared an organization may be, the timing and manner in which the organization communicates a breach to the public and regulators shape how the incident is perceived more than any other aspect of breach response.
Here are 5 communication tips for surviving the data breach epidemic of 2015:
1. Don’t Go Public Until You Have All the Facts
When responding to a data breach, organizations must walk a fine line between prompt notification and accurate notification. Prompt notification is essential if affected individuals are to protect themselves. However, notifying individuals prior to gathering the information needed to assess and fully understand the incident creates the risk of providing inaccurate information. And inaccuracy can turn an already difficult situation into a nightmare.
In addition to creating a negative perception of an organization’s competency and honesty, an organization that disseminates incorrect information must spend significant time and resources to rectify the situation. These efforts may overshadow the positive aspects of the organization’s response, such as remediation efforts and corrective actions.
Taking time to collect all of the facts before going public is the best way to ensure that communications are accurate and complete, and doing so may even reveal that notification is unnecessary.
2. Avoid Sending Out Multiple Notices
When an individual receives a notice that their information has been compromised, they will likely (and understandably) be alarmed and concerned about the security of their identity. When an individual receives multiple notices regarding the same incident, they will likely (and understandably) be confused and irritated as well as alarmed and concerned about the security of their identity.
A follow-up notice rarely contains good news, and no matter how artfully the notice is written, the mere fact that multiple notices are required for a single incident naturally raises suspicion amongst recipients as well as regulators. Multiple notices also prolong the life of an incident in the public eye and increase the likelihood of inconsistency or contradiction in an organization’s messaging, intentional or otherwise. Sometimes multiple notices are unavoidable, but organizations should do everything they can to evade stirring up confusion and skepticism.