📬 Mailbag Reader Question
How do you manage/balance truthful communications about an incident/breach while mitigating legal exposure?
I’m not a lawyer, so I won’t be giving any legal advice. However, I have been fortunate to work with many brilliant cybersecurity attorneys throughout my career. I didn’t always agree with them on every aspect of incident or breach communications, but the one thing we always agreed on is that truthful communication is the only way forward. Fear of telling the truth is an indicator that you know you should have done more – so go do it now.
Preparing for incidents means preparing for lawsuits.
If you are a U.S. company then whenever you have a breach, expect lawsuits. Period. It will happen no matter what you say because a lot of people make a living off suing you. It’s not personal. And regardless of the outcome (most cases are dismissed, some are won, and some are lost), it will be expensive just to respond. There’s nothing you can say to prevent this from happening, so it shouldn’t be a dominant factor in communication decisions, except that both judges and juries tend to look unfavorably on evidence of dishonesty. In my experience, thinking you’ll be able to avoid costly litigation by hiding or withholding information is shortsided.
Incidents are simply expensive – engineering time, outside counsel, external investigators, customer support, PR support, etc. – so we should try to avoid them by making smarter long term decisions about our systems, products, and organizations. This is one reason why Discernible approaches incident communications as proactive, not reactive. If we want to be proud of what our organizations say during an incident, we must make it true in advance.
For example, if you work in B2C, account takeovers are typically a big part of your risk model. In part, because there is usually valuable information inside those user accounts, they’re often the most visible security issue for mainstream media, and they usually create a lot of customer support tickets ($$$). So when we consider what an organization would say in response to a legitimate or even rumored incident involving the exposure of user credentials or access to user accounts, the best answer isn’t PR spin, it’s security engineering.
Years ago it was popular for companies whose user login credentials were exposed to simultaneously launch two-factor authentication as part of their incident response communications – demonstrating that they could have done this before to protect users but didn’t. If what, instead, you could say something like, “our user accounts already support MFA by default to protect against credential stuffing or dictionary attacks.” One of our clients went a step further to double hash both usernames and passwords so that even if the company’s systems are compromised, user credentials aren’t exposed. They’re not afraid to tell the truth.
A very wise cybersecurity attorney once told me, “there are worse things than getting sued for doing the right thing.”
Incidents will happen. Lawsuits will happen. The question is how do you want to show up in that moment? As a defensive, cowardly company embarrassed by your organization's disregard for your customers or will you be ready to own up to the truth because you’re proud of everything you did in advance to minimize the impact on others?
Preparing for incidents means preparing to tell the truth to everyone.
Additionally, lawsuits are only one type of legal risk involved in security incidents. Regulatory investigations and breach of contract with B2B customers are usually even more expensive than lawsuits with a potentially greater impact on your bottom line. In both cases, being able to demonstrate that you were as forthcoming as you possibly could be as quickly as you could be (including being honest about your level of confidence in various conclusions) could be the very thing that saves your company from millions of dollars in fines, multi-decade settlements, and customer churn.
Lawyers and communication professionals want the same thing for our organizations: to thrive with as few distractions as possible. If you leave a vacuum of information for customers, journalists, and regulators to fill with their own imaginations, I promise it will cost you a lot more than showing up with your ready-made receipts proving how much you truly did care about your customers’ security before today.
- - -
Anonymously submit your own questions to our team of experts at discernibleinc.com/blog.
