When Should Companies Reveal Their Data Breach?

It seems that every time you read the news these days, you find out about yet another data breach. This surge of incidents isn't just in your head. Data breaches are actually becoming more common.

For context, 2013 saw nearly 1 billion records exposed. In 2016, that number jumped to 4.2 billion records exposed due to 4,149 reported data breaches. But the consequences don't stop there. Businesses who suffer data breach also face the high cost of data recovery and network repair; not to mention reputational damage.

This is a serious problem which requires a serious solution. By investing in data breach insurance , you ensure that your company won't have to confront these financial challenges alone.

Of course, there is still the question on how to best reveal a data breach to your clients and customers. A clumsy disclosure could breed panic and discontent; and a delayed response might seem irresponsible. Below we will discuss the best ways in which to divulge a security incident.

The Big Reveal

You can't even visit the topic of data breach without bringing up Equifax. The consumer credit reporting agency spilt vital personal and financial data (including names, addresses, Social Security numbers and credit card information) on 143 million Americans ; which is to say nearly every adult in United States.

But perhaps even more troubling is the way the breach was disclosed. In a statement, Equifax said it found about the incident on July 29, but didn't reveal it publicly until late September 7. Meanwhile, three Equifax executives sold shares worth nearly $2 million while the public was in the dark for six weeks. The day after the public knew about the incident, stocks tumbled 13 percent. As you might expect, Equifax is now facing a federal investigation into the stock sales.

What can we learn from this example? People will take notice of your actions, especially when it's their information on the line. Avoid any activities that might seem less-than-honest or shady.

Then again, it can sometimes take a while for a company to discover they've been hacked. Yahoo, for instance, saw over 1 billion accounts breached in two separate hacks occurring in 2013 and 2014. However, the incidents weren't discovered until 2016.

Many companies are completely unaware of a breach until customer information appears on the dark web, they receive an extortion notice from the hackers or (as in the case of Dropbox ) customers start complaining about spam or fraud.

Admittedly, there needs to be an intermediary period between when the incursion is discovered and when it is publically revealed. This way the company can take a moment to assess what information was stolen and how. Don't wait for too long though, as much of this process can run in the background.

Be sure to reach out to law enforcement, your cyber insurance provider and any third-party security agencies you might employ.

Alert your customers via a letter or email. Do not include a redirect link (as this is what phishers do) and make sure the announcement is hosted on your own website. Equifax made the rather poor decision to make a new website for users to find out if they were victimized by the breach, which was easily spoofed by pranksters and hackers .

Similarly, Equifax included fine print on their incident page that forfeited consumers' rights to sue. While this might seem like a smart decision legally, it only added to the backlash faced by the crediting firm.

In summation, it's important that you:

  • Promptly report the discovery of a cyberattack or data breach to law enforcement and your security partners, all of whom will help you inspect your network for signs of intrusion and theft.
  • Reveal the hack to your customer base in a timely manner, including the kind of information stolen, what you are doing to remedy the situation and when/where they can expect further updates.
  • Protect yourself against financial ruin with data breach insurance rather than through sneaky undersigning.

Depending on your plan, data breach insurance covers the cost of litigation, file recovery, network repairs, credit monitoring and more.

Are you prepared to handle a data breach on your own? Make the smart choice and visit CyberPolicy for your free quote today!

© 2016-2020 CyberPolicy, Inc. All rights reserved. CyberPolicy®, "Plan. Prevent. Insure."™, and "CyberCheckup"™ are trademarks of CyberPolicy, Inc.
DBA: CyberPolicy Insurance Solutions CA License No. 0L13180
DBA: CoverHound Insurance Solutions CA License No. 0H52375