Saving Face: How to Publicly Address a Data Breach

A data breach is a risk facing anyone who holds data. Aside from the importance of contacting your cyber insurer and IT people as soon as you become aware of a breach, your public statements and handling of the incident can have an impact, either positive or negative.

From an article on the worst handled data breaches and security incidents of 2024 published by Net Diligence (a provider of cyber risk management software and services) and TechCrunch (a cyber security firm), here are some public statements to avoid if you are the victim of a data breach:

• delaying confirmation that hackers have stolen data, especially in the face of published reports that the data was stolen;
• advising that the incident had a significant impact on staff who had to work additional hours while the attack was being dealt with;
• saying little about a known breach;
• saying that the stolen data was either encrypted or corrupted and unusable to those who stole it in the face of reports from security professionals who found the missing data that it was neither encrypted nor corrupted; and
• deflecting blame for the incident onto the victims, for example blaming users of your service that they did not sufficiently secure their accounts.

As important as determining how a breach happened, securing your data and preventing a future breach is, just as important is how you respond to your clients and other parties who may make inquiries.