Breach disclosure has recently been in the news, and not necessarily in a good way. Missouri Governor Mike Parson’s press conference on a newspaper’s reporting of a security vulnerability on the Department of Elementary and Secondary Education’s website created a social media backlash. He blamed the reporter who discovered publicly accessible sensitive data for the exposure rather than a faulty website implementation.
This incident reminded me of a lesson I learned years ago from several people who worked in communication regarding Microsoft security issues. A Microsoft security incident would be in the news with all sorts of details, but the Microsoft security communications team would be annoyingly and frustratingly silent. I’d take this as a sign that they didn’t understand the security issue at hand, but later I would find out that they were either waiting for follow-up resolution or some fact that was still being investigated.
Being first to break the news about a security event often means you will get something wrong, or worse yet, your spokespeople do not fully understand the situation and give wrong information that often cannot be easily remedied. In this 24/7 news world, being too communicative too soon in the process can often bring unnecessary scrutiny to your security issue. You don’t want to be first to communicate, nor the last. There is always a middle ground of communication that should be followed in breach notifications.
It’s wise to have a plan in place for how you will respond to a breach. Here’s how to build that plan.