The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.
Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.
Many of the areas where we have seen companies struggle involve management-level strategic decisions that must be made when a security incident is identified. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities.
While there may be no right or wrong answer, in our experience executives that have anticipated these decision points before a breach are better able to make decisions that align with the organization’s overall strategic goals and are able to do so with greater speed and confidence.
Part 2: Should You Disclose A Breach If You Are Not Required To Do So By Law.
Situation. State data breach notification statutes only require that an organization disclose a data breach if the breach involves specific types of data. In most states that includes only Social Security Numbers, Driver’s License Numbers, or financial account numbers that permit access to accounts. Many data breaches, however, involve the loss of other types of information (e.g., salary, date of birth, demographic information, email address, mailing address, etc.). In situations in which a breach involves data types that do not trigger a breach notification requirement, management often struggles with whether to (1) voluntarily notify impacted individuals, and/or (2) voluntarily notify regulators.
Some Strategic considerations: Management typically considers the following factors when determining whether to disclose a security incident that does not involve data fields that legally require disclosure:
Pros of voluntary disclosure.
Cons of voluntary disclosure.