Meeting the Moment: The Art of Apologizing After a Cybersecurity Incident
Photo by @davidclode on Unsplash
Dealing with a data breach or other cybersecurity incident can be a complex, emotional, and volatile situation. There’s typically lots of finger-pointing and heated conversations, and stress levels go through the roof. Everyone is trying to do their jobs while also being very worried about having a job in the future. None of it is remotely easy.
And in a lot of cases, these things play out in public. If the incident becomes public knowledge through a legally required disclosure, a news report, or some other mechanism, the response and remediation processes instantly become much more complex and fraught with potential pitfalls and obstacles. Having customers, regulators, the media, and investors watching every move is not necessarily conducive to calm, measured decision-making, especially when time is of the essence. But while the road to recovery from a security incident can be long and rocky, one part of the process is pretty simple: apologizing.
Or at least it should be. But history has shown us that sincere public apologies from breached organizations are vanishingly rare. You’re far more likely to see phrases such as “highly sophisticated attack,” “no evidence this issue has been exploited,” or “we take your security very seriously” than a simple “We’re sorry.” Why is that? Let’s look at some of the main obstacles and see if we can’t figure out how to get around them.
Resistance to admitting mistakes
Humans are not good at admitting when we’ve done something wrong. From an early age, we’re conditioned to understand that mistakes (or intentional misbehavior) have consequences and we quickly learn that one way to avoid those consequences is not to admit we did anything wrong. Point the finger at a sibling or the dog or your imaginary friend and maybe you won’t have to sit on the stairs in a time out. Every five-year-old knows this innately, and it can take a long time to unlearn this behavior. But corporations (and government agencies) aren’t five-year-olds, even though they sometimes act like they are, and the people who are responsible for dealing with a security incident often fall back on the old instinct to act publicly as if nothing happened.
Getting out of that mindset requires an understanding of what the consequences of admitting a mistake might be. In an enterprise setting, that means doing the homework ahead of time and understanding how your customers, employees, and other stakeholders might react in the event of a breach.
Fear of bad publicity
One of the nearly universal short-term effects of a public security incident is negative headlines and online discourse. Cybersecurity in general and data breaches specifically have become major topics not just in the tech press but in the mainstream media, as well, thanks in large part to the ransomware epidemic and a steady stream of massive incidents such as the Office of Personnel Management breach, the SolarWinds intrusion, and the CrowdStrike incident. Though there are many knowledgeable journalists who cover cybersecurity incidents with nuance and context, you don’t have to look very hard to find breathless, apocalyptic headlines about relatively minor incidents. PR teams are paid to avoid or limit negative headlines, and issuing a public apology is too often seen as an express route to bad publicity.
But a security incident will generate news stories regardless of whether the organization issues an apology. That’s how news works. However, the public’s attention span grows shorter by the day, and the sheer volume of security incidents virtually guarantees that there will be another one to replace yours in the news in a matter of days, if not hours. Making a public apology won’t prevent the media from covering a breach, but it can show stakeholders that the organization understands the gravity of the situation and is trying to remedy it. Ideally, communications teams should measure the effects of the statements they put out on the way that customers and other constituencies perceive their brand.
“I would think based on my experience that the fact that it's going to be publicized is exactly when you want to be seen telling the truth and doing the right thing, but that is not how it works,” says Nick Selby, a longtime security executive currently Executive Vice President at Evertas.
Discernible CEO Melanie Ensign also reminds organizations that security incidents are “an opportunity to demonstrate what you’re truly made of and actually build trust with stakeholders.”
Legal liability
This is the big one. If you think PR teams are paranoid, lawyers make them look positively carefree. The advent of state data breach notification laws in the 2000s provided the public--and plaintiffs’ attorneys--with the first real ammunition for what has become an ever-growing wave of lawsuits against companies hit by data breaches and other incidents. Those suits can be quite expensive, as can government investigations. In 2019, Equifax agreed to a $575 million settlement with the FTC and other government agencies related to a massive data breach in 2017 that affected 147 million people. That’s obviously an outlier, but legal action follows data breaches as day follows night. But the potential for a lawsuit should not be a deciding factor in whether an organization formally apologizes for an incident. The lawsuits will likely come either way, and customers are more apt to feel positively about a company that communicates its remorse and intentions going forward rather than one that deflects, denies, and dissembles.
“It’s not always easy to quantifiably prove that people feel better when they get an apology,” says Selby, “but it’s anecdotally clear that they do. And there is research from other fields like healthcare suggesting the ultimate outcome of serious mistakes is improved with apologies,” says Selby, citing a 2023 article published in the Amsterdam Law Forum. “In at least one incident I’ve spoken about before, the apology absolutely helped, the users accepted it, and the company thrived post-incident.“
Ultimately, lawyers and government regulators are going to do what they’re paid or legally required to do, and being sorry in public isn’t going to suddenly spur any of them into an action they weren’t already contemplating. To paraphrase a legendary security paper, if the Department of Justice (or FTC or SEC) is your adversary, you’re gonna get got and there’s nothing you can do about it.
Ensign says many companies who approach security and incident communications as a purely CYA exercise or crisis management often miss the ongoing relationship between regulators’ opinions of a company’s security and non-security issues. Having led security communications programs at global regulators’ favorite targets, including Uber and Facebook, she says, “The way external stakeholders perceive your response to security incidents is absolutely influenced by their overall feelings about your brand. So, building a resilient reputation with effective and compassionate security communications starts long before an incident occurs.”
From a litigation perspective, Michelle Finneran Dennedy, Chief Data Strategy Officer at Abaxx Technologies and former Chief Privacy Officer at Cisco and McAfee, says the indicators of success have changed.
“Do we get sued? That measurement needs to come off the table. The metric is now how quickly can I make this end at summary judgment? That's a very specific thing,” she says.
“If you're afraid of discovery in a fictitious lawsuit, then you don't have reliable data with which to operate and manage your business.”
And if that’s the case, you have many other problems, and hiding behind a legal team won’t solve them.
Be honest, forthright, and contrite; good things will follow. Or don’t, and see how that works out for you.