Data Breach Reporting: The Who, When and Why
Between 2011 and 2017 there were an estimated 4,732 cyber attacks carried out against American businesses. However, only 24 of those breaches were reported to the SEC by the affected company. Those numbers are surprising, but the fact that companies are tight lipped is not.
Data breach reporting is a highly-sensitive process. Companies know it’s their obligation to inform victims. But going public about the breach can make it harder to clean up the problem and catch the perpetrators. It’s also a major public relations blow to the brand. And since the SEC has guidelines but not federal rules about reporting, delays and excuses are common.
That may be understandable, but that doesn’t make it acceptable. Reporting is an ethical obligation and also a legal liability for companies. Companies that wait weeks, months, or even years to report breaches potentially compound the damage done to victims. If and when those victims choose to go to court, they have grounds to demand much larger settlements. The growth of the cybersecurity insurance industry is largely due to the growth in size and frequency of these settlements.
It’s easy to conclude that companies should report the breach as quickly and completely as possible. Unfortunately, it’s not that easy when so much is at stake. Following these best practices to approach breach notification systematically:
- Understand Your Legal Obligation – All states have laws requiring reporting, including the District of Columbia, Puerto Rico, and the Virgin Islands. There may also be other local, state, or federal laws that inform the reporting process. Study these laws in advance of any breach, and determine exactly when they apply and what they mandate. In some cases the breach must be reported within 72 hours of discovery.
- Notify Law Enforcement – This is mandatory ASAP after a data breach. Even if the extent of the breach/victims is unknown, law enforcement must be aware of the incident. Once law enforcement is involved there are professional investigators pursuing the hackers. Contact local officials first. If they cannot help they will recommend you to state or federal officials.
- Coordinate the Response – An inconsistent and disorganized response is just as bad as a late response. Pick someone to be the spokesperson, and make sure the message is consistent in public statements, on social media, and in official documentation. It’s possible to make the situation worse if victims are notified but not notified completely or accurately.
- Consider Notification Options – The preferred way of notifying victims is through traditional mail. In special circumstances, however, companies are allowed to send out email notifications. Look at the cost of notifications based on the scale of the incident. Then determine how to directly notify victims and how to publicize the incident generally, Most companies also include resources on their website, issue a press release, and make spokespeople available to the media.
If the data breach notification process sounds unpleasant your interpretation is accurate. It’s a necessary evil for companies that suffer from a cyber incident. Unfortunately, avoiding these incidents is almost impossible. The strategy that more companies are taking is to plan for the worst early. Make a plan for responding to an incident, including in-depth details about notification. It may not be able to spare a company embarrassment, but it can spare them expense.