The Confusing Part About Data Breach Notification Is Actually Pretty Clear
What should a company say in a data breach notification? The debate goes on as companies would like to have more gasp…. regulations…. to tell them exactly what they need to say to protect themselves from lawsuits. The attached article gives plenty of reasons for the confusion, as organizations have time limits (under GDPR and other laws) to report a breach. They have to report this breach without knowing all the facts, because investigations take time! The attorneys get involved and put out this long legal statement that is designed to protect the company, not necessarily inform the customer of what they should actually do because of the breach. All the customer wants to be told is what they should do about it.
I am going to tell you a HUGE secret…. I have never conducted an investigation as a result of a breach that was BETTER than what we originally thought. Meaning, if we had a reportable incident, it was bad, the only thing left to figure out is just how bad it was! A security team knows where the gaps are, go to your security operations people right now, someone who is involved in the day-to-day, and ask them point blank, where are the major blind spots? Most will tell you, if this part of the network, or this application, or this database was hit we will be in deep trouble.
All that to say, when it comes to breach notification, transparency is always best! Tell your customers in the first paragraph what is known about the incident and what they should do because I can almost guarantee it is not going to get any better. For example, give two bullet points saying this is what we recommend you do to protect yourself and say something like this advice is given out of an abundance of caution as the issue is still under investigation.
How many times have you seen or heard in the news a company make a statement like, this was an isolated incident and we have determined it was limited to this area, network, etc. only to have them come back and say, we found additional information and it is worse than we thought! Case in point the recent American Medical Collections Agency breach which now includes Quest and LabCorp. Downplaying an incident is worse than just coming clean about it, a company may be more likely to be sued if it comes out that they were being less than forthcoming, and they should have known better.