New Book Offers Considerations for Communicating Data Breaches
A new book on data breaches — while not focused on communications — raises some issues for crisis communicators to think about when developing messages about such incidents.
You’ll See This Message When It Is Too Late is by Josephine Wolff, assistant professor in the Public Policy and Computer Security departments at Rochester Institute of Technology. A main theme is what various constituencies — programmers, targeted organizations, regulators — can do to fight data breaches. The problem is, they mostly end up pointing fingers at one another. For example, in a retail breach the store owner, payment networks, and banks will blame each other.
In the aftermath of these [data-breach] incidents, we see how their fallout engenders hostilities between parties who should, ostensibly, be on the same side.
— Josephine Wolff
“In large part, what we learn from these breaches is how the dynamics between different defenders — or stakeholders who could potentially serve as defenders in some capacity — have shaped the security landscape we have today,” Wolff writes. “In the aftermath of these incidents, we see how their fallout engenders hostilities between parties who should, ostensibly, be on the same side — and, above all, strengthens the resolve of all involved not to be held responsible for any piece of anyone else’s security.”
Another related issue Wolff raises that could affect communications is that commenters on the incident (including journalists) seek the one silver bullet that would have prevented the problem — the one thing the victim neglected to do, such as requiring two-factor authorization (in which a unique code is entered for each computer session) or encrypting documents.
Wolff’s point is that in many cases such measures wouldn’t have prevented the intrusion. For example, TJX Companies, which owns retailer Marshalls, revealed a breach in 2005. The Federal Trade Commission, banks, and payment-card issuers sued the company, arguing its encryption was inadequate. But Wolff argues stronger encryption probably wouldn’t have been effective in this situation.
Again, the question arises of whether you should address this in your communications. On the one hand, the public doesn’t like an organization to blame others when it experiences a data intrusion (or other crisis). On the other hand, other people may be culpable. How much do you want to blame the designers of the leaky software you bought?
For example, Wyndham Hotels and Resorts, regarding its series of breaches in 2008 and 2009, argued it didn’t implement the U.S. Federal Trade Commission’s recommended safeguards because they were too vague. Yet, the company did so little to protect itself that it found it hard to defend its actions in the lawsuits that followed.
So, these are things to keep in mind in terms of messaging, though that is not Wolff’s focus, which is more of a big-picture view of how to prevent data breaches (her subtitle is The Legal and Economic Aftermath of Cybersecurity Breaches).
She mentions another issue that can affect communications: Companies and other organizations that fall victim to cyber thieves have a vested interest in claiming the breach was more sophisticated than it was — and therefore couldn’t have been prevented.
That’s something else to think about.
Image Credit: VectorKnight/Shutterstock
This is an abridged version of an article that appeared today on the CrisisResponsePro paid subscription portal. (CrisisResponsePro subscribers can access the full version by clicking here. ID and password are required.) To take advantage of all of the content, data, and collaborative resources CrisisResponsePro has to offer, contact us at firstname.lastname@example.org.