Cost Of Delayed Communication In Data Breach Incidents
When a data breach occurs, crisis response teams come under immense pressure to prioritize who must be notified as soon as possible.
As stakeholders and people become savvy and well aware of the potential damage due to a data breach, they are, today, far less tolerant of delayed notifications.
Consumer wrath can be incurred if the company procrastinates by as little as a week in notifying them.
Few Data Breach Examples From Past
Equifax Data Breach
In the case of Equifax, the organization supposedly spent over six weeks examining and scrutinizing its data breach and drafting notifications.
Several elements were involved during this period — forensic data analysts, law enforcement agencies, data breach lawyers, and other specialists involved in communication management.
Although Equifax’s data breach was well within HIPAA’s 60-day period, it was not an average breach.
Over 140 million Social Security numbers were stolen, which meant that companies across the United States could no longer bank on their Social Security numbers as a means of validating customers.
Although a large quantity of information was already stolen until the Equifax breach took place, most affected victims were in a state of denial.
From the consumer’s perspective, each day that the company chose to wait in informing the victims affected the consumer’s chances of protecting themselves from likely harm.
And, if there is a delay in notifying stakeholders for over a year, there is a lot of explaining that such an organization must do.
For, a delay of over a year could be far more detrimental than the data breach itself — as Yahoo realized in 2016 when their data breach was finally exposed.
Across public outrage, it was appalling that consumers had to learn of the data breach three years after it occurred.
Instant notification can help customers potentially curtail the damage of a data breach, especially if it’s a massive one, and could have endangered identification data such as Social Security Q&A they could have used on other websites.
This knowledge is reflected in the learning curve of the public in realizing the impact of data breaches.
Towards the end of 2016, most people understood that a compromise of their account information from one company could allow cybercriminals in obtaining access to other accounts as well.
And then some companies maintain a data breach as a secret that eventually gets revealed. One such prominent case is Uber.
Uber Data Breach
In 2016, Uber fell prey to ransomware – and resulted in making a poor decision. An anonymous cybercriminal emailed the organization and claimed to have detected a vulnerability within the system, while also declaring that he was able to access classified information.
The hacker gained access to Uber’s cloud-based storage where he discovered credentials and other sensitive information enabling him to enter Uber’s servers stored on Amazon, which housed the company’s source code and information on 150 million drivers and customers.
The cybercriminal demanded a payoff for having discovered the vulnerability. During that time, the company had a bug-bounty contest handled by another specialty company.
On verifying the cybercriminal’s claims, Uber decided to discuss payment that was around $10,000 based on the contest’s top award.
The cybercriminal demanded much more than that. Hovering around US$100,000, the hacker retorted that the data he had in his possession was far more valuable than any amount.
Over a period, Uber agreed to pay $100,000 after signing a nondisclosure agreement to avoid further hacking.
Besides, Uber also carried out a forensic analysis of the cybercriminal’s machine to ensure that the information had been destroyed.
In doing all this, the team at Uber decided that public notification was not required and hence they closed the case.
This incident would have stayed under wraps if it is not for the resignation of Uber’s CEO amid a scandal.
The event surrounding his departure revealed pervasive, improper, and unlawful behavior throughout the organization.
When the new CEO took over in 2017, an internal investigation was conducted with the help of an outside law enforcement agency. As part of this inquiry, the $100,000 payment was discovered and revealed.
To build trust with key stakeholders, Uber decided to demonstrate openness and reliability with notifications.
Given the company’s unstable financial footing at those times, the new CEO specifically called out the company’s failure in notifying affected victims and regulators and announced that chief attorneys and the CSO were fired immediately.
The public out lash and anger that followed spilled not only on social media but continued for months on end with two class-action lawsuits filed against the company.
Given that the company took almost a year to notify affected individuals this raised red flags as to the kind of systemic difficulties that can prevent time-sensitive data from being made available to those who are left susceptible.
Taking a cue from the Uber case, organizations must introspect and question whether they truly follow the norm.
If the company did not disclose the 2016 incident, it most likely never would have been made public.
Unfortunately, how many organizations today have similar skeletons in the closet that one could never know about?
To ensure your documents stay safe and compliant without impacting productivity, you need to look into a digital rights management (DRM) solution to prevent exposing your sensitive and classified Word files and PDF documents.
Regardless of whether you share your information with trusted insiders, business partners, consumers, and authorized people, a DRM solution can adequately safeguard, control, and track classified and confidential information.
Such classified information could contain your intellectual property, trade secrets, personal credentials, and more, which need the utmost security and privacy, that can only be provided by DRM.