Post-breach etiquette: nine rules when the worst happens

Sure, into every life a little rain must fall. But are data breaches as inevitable?

These days, the answer seems to be Yes. High-profile hacks like Target, the Heartbleed breaches, eBay… the theft of sensitive personal data of thousands upon thousands of credit card holders, financial losses running into the millions… it all just seems to be part of the modern, pervasively wired/wireless landscape.

And it’s not getting any better. Last year was by far the worst ever for security, with 2,164 incidents that exposed 822 million records, according to one security report.

Which means that for security managers, putting together a list of things to do when the worst happens makes as much sense as all the work you put into keeping it from happening in the first place.

And judging by a list of nine rules for post-breach behaviour published on InfoWorld, what to do when someone cracks your security has as much to do with what the PR people call “crisis management” as it does with high technology.

Rule 1: stay out in front of the bad news. Disclose it sooner rather than later, or you risk having the word get out via a third party. eBay got in serious trouble for staying mum for months about a massive security breach that compromised employee accounts, while the music streaming service Spotify was lauded for going public after only a single user account had been hacked.

Rule 2 is along the same lines: tell everything you know, and be honest about what you don’t know. You might naturally want to hide unpleasant details, but if the really bad stuff comes to light via a third-party source your customers will be even angrier and your company’s credibility will go into a nosedive. It may hurt to come clean, but it’ll hurt more in the long run if you try to hide something.

Rule 3 is to understand fully what kind of encryption you have, and make sure it’s up to standard. Industry best practice pegs hashing and salting as the way to go. Adobe Systems got in trouble when it was discovered that it was instead using Triple DES encryption to protect passwords, after an incident in which 2.9 million customer passwords were hacked.

Rule 4: stay on message. In the hectic atmosphere following a major incident, it’s important that you get out a consistent message across all channels. After the recent eBay breach, the company floundered, issuing a press release to the media but failing to post the release on its web site, while it allowed days to pass before firing out email notifications telling customers to change passwords.

Rule 5: look after customers before investors. Being overly solicitous of investor interests when customer privacy and finances are under direct attack will only alienate customers even more.

Rule 6: don’t downplay the negative. Assurances that there’s “no evidence that any stolen data was misused” simply ring hollow. They sound more like the plausibly deniable denials routinely issued by politicians who’ve been caught in compromising situations. As InfoWorld puts it, “not seeing someone driving around in your stolen car doesn’t make it any less stolen!”

Rule 7: give out all the detail you can. When and how the breach occurred, how long it lasted, what systems were affected, what you’ve done to block the attack and repair the damage. Tell it all. Follow the example of LastPass, the secure password service that detected anomalous activity on a non-critical machine and nonetheless assumed the worst – and posted a blow-by-blow account of what they were doing so users could stay abreast of the incident. LastPass even did a public debrief, acknowledging errors it had made.

Rule 8: let customers know exactly how to prevent any similar case happening again. Plan, and talk about the plan.

Rule 9: make the changes that are needed. If your security measures didn’t work, change them so they do in future – that goes for physical devices as well as the policies. And be public about what you’re doing. Again, LastPass is an excellent illustration. You can read their posts

Those who’ve been well brought up might want to add a tenth rule. Don’t forget to say you’re sorry.

Andrew Brooks
Andrew Brooks
Andrew Brooks is managing editor of IT World Canada. He has been a technology journalist and editor for 20 years, including stints at Technology in Government, Computing Canada and other publications.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web