One of the first questions a company must answer after it discovers and remediates a data breach is, “What do we tell our customers?” Companies may delay publicly announcing a data breach out of fear that doing so will harm their reputation with customers, leading to a loss of business. They may take an inordinate amount of time to make a public announcement, thinking their public statement must be “just right.” This is backward and outdated thinking. Rather, a quick public announcement of a data breach is an essential part of saving and rebuilding a company’s reputation after a data breach.
First, it is important to recognize that a company whose data systems have been breached is not in control of when the breach will be revealed to the public. There are tools available for individuals to see if their email addresses, passwords, social security numbers, credit card numbers, and the like have been posted on the dark web. There are cybersecurity companies and ethical hackers who are constantly on the lookout for information demonstrating a new data breach. Not speaking publicly about the problem will not make it go away. If a system has been compromised, that fact is going to become known sooner rather than later, regardless of whether the owner of the compromised system announces it.
Therefore, the compromised company needs to get ahead of things to control the narrative. We oftentimes forget that a company that has been hacked is a victim. A timely public announcement can help to remind the public of that fact. An announcement that acknowledges the problem, provides a meaningful recourse for those affected, and emphasizes the company’s commitment to work with law enforcement can help to shift the focus toward those who invaded the company’s systems. Delaying announcement until after a breach is already publicly discovered robs the company of the opportunity to frame itself as part of the solution rather than part of the problem.
Indeed, recent experience shows that the way a company responds to a breach is more likely to cause reputational harm than the breach itself. As a general matter, the public accepts that data beaches are an unfortunate reality of the digital age despite best efforts to prevent them. Moreover, given the number and size of data breaches over the past decade, many people are resigned to the fact that much of their personal data has already been compromised. They want to know of any additional breaches so that they can remain vigilant and spot potential fraud when it occurs. A timely announcement by the owner of the breached system gives them the information they need. Unnecessary delay can lead them to believe that the company is not taking its customers’ interests seriously.