Waiting, Waiting, Waiting... Is There a Right Time for Breach Notification?

Andrew Brosman, Senior Security Consultant, Cyber Risk Advisory

Recently, a popular online retailer revealed a month-long data breach. Card-skimming code was found capturing customer credit card data from the payment page of its website and sending that data to what appeared to be a legitimate server (with a similar domain name and a valid HTTPS certificate). The company has not yet determined which customer accounts may have been affected, so the extent of the damage is yet to be determined.

There is never a perfect time to break the news of a breach, and while there may be legitimate justifications for holding off on a public response while an incident is still being investigated, it’s important to consider the downstream impact of delaying the notification. Each day that passes without notification, the more time the attackers have to inventory and market the exfiltrated data, potentially putting your customers at greater risk of identity theft. 

Controlling the message is crucial. We believe that it is in both the company’s and the customers’ best interest to issue a holding statement to customers. This statement should communicate what you know, steps you’ve taken, and a pledge to support your customers through this difficult time. Your holding statement should not speculate on numbers affected; rather, it should be focused on informing customers and allowing your organization time to complete the investigation. Even if the full details of the incident are not yet known, early communication to your customers allows them time to reconcile their personal information and take protective measures.

Preparing for the inevitability of a data breach and documenting how your organization will respond is essential. Having a defined set of criteria within your incident response plan on if, when, and how to notify will better position your organization to make the best-informed timing decision when it needs to be made. Getting guidance from your public relations or marketing team is a good place to start. Their knowledge of the current social climate and experience in brand recovery can help guide messaging. It may be tempting to downplay or hold off announcing there has been a breach, since as we’ve seen recently, public backlash can be worse than the breach itself. Yet, the details will eventually come out, and directing how it comes out is an important part of incident response.

Every company needs an incident response plan—and before an incident occurs. The plan should include notification to third parties. Be prepared, review your current incident response plan, and determine how your organization would provide notification should there be a breach.

Andrew Brosman


Andrew Brosman — Senior Security Consultant, Cyber Risk Advisory

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS