Scrub these Phrases from Your Data Breach Statements 

Written By Melanie Ensign

In the event of a security incident, it's critical that your response is both fast and accurate. Unfortunately, many organizations make the mistake of including one or more of the following three elements in their public statements, which impairs the credibility and trustworthiness of their response. By avoiding them, you can help ensure that your organization's response is taken seriously .

1. Claiming Security or Privacy is Important to You

In the aftermath of a security incident, the last thing you want to do is come across as though you don't take security seriously. Unfortunately, that's exactly what happens when you make statements like "security is important to us" or "we take security very seriously." Not only are these statements clichéd, but they’re often counterproductive, as TechCrunch reported nearly 4 years ago. Using this phrase actually casts doubt about your commitment right away. Instead, focus on specific steps your organization is taking to mitigate both the current risk and future incidents. 

It’s not enough to say security or privacy are important to your organization, you have to prove it with action. What steps have you taken before, during, and after the breach to prioritize and protect the security and privacy of user data? What are you willing to leave on the table to maintain or repair trust in your organization?

2. Citing a Lack of Evidence of a Malicious Thing Happening as Evidence That It Hasn’t Happen

Another big mistake often made in response statements is citing a lack of evidence of a specific action as evidence that the action didn’t occur. For example, as Bob Lord wrote back as 2015:

“The phrase “no evidence” could mean everything from “we have tons of evidence and we're sifting through it, but the probability of the attackers accessing your data is very low,” all the way to “we don't collect data for use by incident responders, so who knows?”

Just because you don't have evidence that something bad happened doesn't mean it didn't happen. By assuming responsibility and explaining how you’re proven various aspects of the situation and why you’re confident about specific findings of your investigation, you can help avoid further damage to your organization's reputation.

3. Over-Emphasizing Insincere Details

One of the most common examples I see is the over-reliance on credit card information as an indicator of risk to consumers. It’s disingenuous to imply that the presence or absence of this data accurately represents the severity of an incident because other types of data can carry a far greater risk to consumers such as information about your location and travel patterns, and medical status. Rarely are consumers accountable for fraudulent charges when they report a stolen credit card, but a compromise of biometric information, for example, is much harder for end users to mitigate. 

Moreover, when companies do call out when specific information is not affected by an incident, they often miss the opportunity to explain why. Did you just get lucky or did you make a deliberate decision that reduced the potential damage? Maybe you’re following the privacy principle of data minimization and made the conscious decision not to collect or store certain information. These details matter and I believe we should be encouraging organizations to talk about their proactive efforts to reduce risk.

As a reminder not all security or privacy incidents involve technical intrusions or a data breach, as we’ve discussed here. These more common mistakes are most often made when organizations approach stakeholder communication about security and privacy issues as reactive only, believing it only needs to happen to mitigate an incident. At Discernible, we work with clients to develop ongoing and proactive stakeholder communications to earn credibility and trust before incidents occur. 

Security and privacy incidents can cause anxiety for both businesses and consumers alike. In order to minimize the damage caused by an incident – or even better – to optimize the impact, it's critical that businesses get their security incident response statements right. By avoiding common mistakes like those described above, you can help ensure that your organization's response is taken seriously.

- - -

Sign up for our newsletter and get more insights delivered directly to your inbox every month!

https://discernibleinc.com/newsletter-signup

Melanie Ensign
Previous

A CISO’s Guide to “Negative Megaphoning”
Next

Don’t Get Stuck in Conflict: Communication Techniques for InfoSec and Privacy Teams