It's a nightmare scenario, one that's more and more common every year as data becomes more valuable — despite your best defenses, some of the confidential data your company holds on to was accessed by hackers or cyber criminals.
While the breach is in the past, there's a lot your company can still do to make the best of the situation — as well as a number of pitfalls that even major businesses fall into.
Here are five mistakes that you need to avoid when disclosing a data breach.
1. Not Having a Plan
Immediate response to a data requires a plan already being in place. In the best case scenario, you have a breach response plan that has been rehearsed. By the time company management is aware of the breach, your business's IT team is already looking into it and patching up the security holes that let it happen. Your public relations or business communications staff, already trained on how to respond to data breaches, are drafting breach notifications that will be sent to customers.
A well-rehearsed plan gives you as much time as possible to get a full sense of what information was compromised and preps your team to give the best possible support to your customers.
2. Not Moving Fast Enough
Once your company becomes aware of a breach, a timer starts — people will want an explanation for the gap between the breach's discovery and your company's first public communication.
Depending on where your company does business, it may also be subject to a time frame within which it will need to report the breach or face legal consequences. Under the GDPR, Europe's set of data protection and privacy laws, a business has to notify authorities about a data breach within 72 hours or face steep fines.
Your company will face challenges that are similar — or worse — if it fails to disclose the breach at all.
3. Trying to Cover Up the Breach
On top of not being likely to succeed, this strategy is also illegal. Once your company becomes aware of a data breach, it is nearly always obliged by local or federal law to report that breach.
Trying to cover up or downplay a breach — as Uber attempted in 2016 — isn't likely to work, especially once law enforcement is involved, and can lead to big fines. In the long-run, not providing the public and the authorities with the full scope of the breach is likely to make the problem more severe, not less, for your company.
4. Not Contacting the Right Authorities
Bringing law enforcement into your data breach investigation is a good idea — and in some cases, your company may even be legally obliged to notify the authorities about a data breach.
Law enforcement officials can help you understand your company's legal responsibilities and investigate the hackers behind the data breach. In one example, Capital One recently worked with the FBI to catch the hacker behind an unauthorized access of their system earlier this year.
Catching the hacker can provide your company with a better understanding of how they were able to access their system — information you can use to bolster security and implement practices that will prevent data breaches from happening in the future.
5. Providing Too Little Information — or Too Much
In some cases, you may need to provide a full accounting for what kind of data was accessed. In others, your company might need to relay how the hackers accessed its system.
The information you need to provide — to your customers, the authorities and the public — is situational, and will depend on the severity and scope of the breach.
It may be a good idea to hire a data breach or cybersecurity adviser who can help you stay on top of the legal requirements of breach notification. These advisers can also help you determine what information should be passed on to your business's customers and the public.
Properly Responding to a Data Breach
Once a data breach has occurred, your company still has a lot of control over the situation — and, as a result, a chance to make the best of the situation or make things worse.
When responding to a data breach, you should keep candid, avoid downplaying or covering up the breach and provide the exact amount of information needed. If possible, your business should also have a plan in place that your team members can follow. Information gained from your company's internal investigation of the breach can be used to strengthen cybersecurity practices, lowering the risk of a future breach.