Merritt Group Blog

Don’t Be the Last to Know: Corporate Policies for Disclosing Data Breaches

Blog Header_1018

It’s a Monday morning and the last thing you want to wake up to is finding out your entire identity was stolen. 

What’s worse? Discovering that your information was stolen not today, but months ago. The secret is finally out...and you are the last to know. Unfortunately, this scenario is all too familiar when it comes to the disclosure of data breaches. 

In our ever-evolving, connected world, most of us understand the importance of our data, and yes, it is OUR data. Our names, addresses, Social Security numbers and credit cards are assets that attackers can use to exploit our information, break into our accounts and attempt to steal our identities. 

Despite the sensitivity of this information, companies have taken their time in alerting the public to data breaches that may have impacted their consumers. For example, Yahoo didn’t alert the public about a massive data breach for two years. To make matters worse, this was the largest data breach at the time (and still is) - affecting more than 500 million people.

Similarly, Equifax dragged its feet for five months before revealing that hackers obtained sensitive data, including Social Security numbers and dates of birth for 143 million individuals. 

Most recently, food delivery service, DoorDash, alerted app users of a data breach affecting 4.9 million people at the end of September. Stolen data included the names, addresses, order history and credit card and bank account information of delivery drivers, customers and merchants. However, DoorDash notified the public five months after the initial discovery.

This should not be the norm, and these cases emphasize a common theme among organizations in the United States: companies can take days, months and even years to disclose a data breach. And that’s if the organization decides to publicly report them at all. 

With the growing number of breaches, consumer complaints surrounding transparency are also amplifying. 

In 2018, the Securities and Exchange Commission (SEC) updated a 2011 cybersecurity statement to note that publicly traded companies need to "take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion."

It is important to note that the SEC statement, although heading in the right direction, is an interpretation, thus it is not legally binding. This begs the question: what is “timely fashion?”

For companies facing data breaches, we recommend aligning disclosure strategies with these recommendations below to get information out in a “timely fashion” and survive the data breach: 

Address the Breach ASAP. Address the security flaw and determine what has been compromised and to what extent.

Develop a Data Breach Specific Team. Assemble a data breach specific team or task force to take the lead and be the point of contact with the authorities and legal team, as well as the press.

Disclose the Breach. After the issue is under control, the data breach task force should alert the legal and public relation teams that they will be notifying the public. To note, disclosing a breach to the public should happen as soon as possible, and should not take weeks or months. If you can’t share all the information at once, give the public a timeline of when you’ll have more updates.

National and global policy directives can also help. To combat the lengthy delay in disclosure notices, many experts favor federal legislation. This is largely due to the inefficiency of companies being required to comply with 50 different state laws when suffering a data breach.

In May 2018, the European Union set the gold standard for compliance regulations with the General Data Protection Regulation (GDPR), specifically addressing breach control disclosure. One of the more notable provisions of the GDPR is in Article 33 and mandates a 72-hour breach reporting requirement. This strict time limit, while it seems daunting, demonstrates the need for organizations to take privacy and breach disclosure seriously. 

Unfortunately, there isn't a one-size-fits-all solution for this data breach notification issue. But we do know that the industry needs to implement action to support the general public. One thing we can all agree on: no one wants to be the last to know, and it’s up to us to keep companies accountable for our data. 

To learn more about best security practices, check out Merritt Group’s security blogs or contact Michelle Schafer, VP of our security practice team, at schafer@merrittgrp.com if you have any additional questions!

Topics: Security cyber cybersecurity data breach