Here at Digital Edge, we are constantly keeping up to date on suggestions from the best experts in the industry. Here are a few suggested best practices when disclosing a breach.
First – If you report a breach, be honest about what happened. If it was a breach, say it was a breach. Do not try and vaguely cite the risks of everyday cybersecurity threats out there and that you may be susceptible.
Second - The breach notification should appraise the affected individuals or clients of the actual risks they face and how it came about that they were exposed to such risks. Companies should not try and exploit ambiguous language. If data was stolen, you should not say it was an ‘unauthorized access’ or ‘exposure of data’ or some other language that could make the breach seem less severe. Furthermore, companies should not mislead or downplay the severity of breaches or understate their level of fault in media disclosures.
Third – Make sure significant vulnerabilities are reported to executive management. Knowledge of these vulnerabilities should not just stay in the IT department. If executive management does not know the whole picture, they will not know the critical risks the company is exposed to and may make a false disclosure.
Fourth – Companies should ensure that their disclosures are updated when there is a change in the risk calculus caused by an event, a change in circumstances, or when new information is discovered. This is to help ensure that the information contained therein is as accurate as possible.
If you need assistance with reporting a breach or have any questions or concerns, please don’t hesitate to reach us.