Recently, a popular online retailer revealed a month-long data breach. Card-skimming code was found capturing customer credit card data from the payment page of its website and sending that data to what appeared to be a legitimate server (with a similar domain name and a valid HTTPS certificate). The company has not yet determined which customer accounts may have been affected, so the extent of the damage is yet to be determined.
There is never a perfect time to break the news of a breach, and while there may be legitimate justifications for holding off on a public response while an incident is still being investigated, it’s important to consider the downstream impact of delaying the notification. Each day that passes without notification, the more time the attackers have to inventory and market the exfiltrated data, potentially putting your customers at greater risk of identity theft.
Controlling the message is crucial. We believe that it is in both the company’s and the customers’ best interest to issue a holding statement to customers. This statement should communicate what you know, steps you’ve taken, and a pledge to support your customers through this difficult time. Your holding statement should not speculate on numbers affected; rather, it should be focused on informing customers and allowing your organization time to complete the investigation. Even if the full details of the incident are not yet known, early communication to your customers allows them time to reconcile their personal information and take protective measures.
Preparing for the inevitability of a data breach and documenting how your organization will respond is essential. Having a defined set of criteria within your incident response plan on if, when, and how to notify will better position your organization to make the best-informed timing decision when it needs to be made. Getting guidance from your public relations or marketing team is a good place to start. Their knowledge of the current social climate and experience in brand recovery can help guide messaging. It may be tempting to downplay or hold off announcing there has been a breach, since as we’ve seen recently, public backlash can be worse than the breach itself. Yet, the details will eventually come out, and directing how it comes out is an important part of incident response.
Every company needs an incident response plan—and before an incident occurs. The plan should include notification to third parties. Be prepared, review your current incident response plan, and determine how your organization would provide notification should there be a breach.