To Notify a Data Breach or not?

It was announced this week that Uber were hit by a data breach which affected 57 million user accounts, it was also revealed that the data breach occurred over 12 months ago….

The company also admitted to paying a $100,000 to the hackers on the premise that they would not permit the data breach to be made public knowledge. The breach was contained within the company and it is understood the new CEO was only made aware of this a couple of weeks after he took up the position.

In October 2016 hackers managed to gain access to the data of Uber customers and the licence numbers of hundreds and thousands of Uber drivers…. so why would a business not disclose such an important event ?

A data breach is an indication that perhaps a businesses cyber security posture is not as robust as it should be and might provide warning signals to potential customers as whether their data would be secure in their own computer infrastructure. Alternatively the business may have been unfortunate having state of the art virus software in place and an immaculate patching regime.

The reasons for the non-disclosure of a data breach could be numerous such examples of this approach could be linked to the following:-

  • Fear of adverse publicity
  • Loss of existing and potential new customers
  • Damage to confidence of staff
  • Panic by management that non-disclosure is better that allowing this to reach the public domain
  • Easier option to wipe under the carpet
  • Data breaches happen and are not uncommon and is an everyday business occurrence
  • Deterring potential investors in the business
  • Impact on share price value

These may seen feasible reasons and a businesses decision not to notify a data breach may be full of good intention but what are some of the consequences of not doing this?

Regulatory Obligations 

Within most US states there is legal requirement to notify the breach or compromise of the personal details of individuals within a reasonable period of  time.

In the UK , there is currently no compulsory requirement to notify a data breach to the Information Commissioners Office (ICO) but voluntary notification is considered to be good business practice. This will of course change next May with GDPR coming into force with the need to notify data breaches to the ICO within 72 hours of the data breach.

Damage to Reputation 

These days openness and the ability to communicate with the public are very important and two of the qualities that consumers look for in a company that they may be considering doing business with or utilizing their services. If this view is tarnished in any way this could lead to the damage of the reputation of the business.

Collateral Damage to Customers

The non-disclosure of a data breach does not allow customers to take preventative action themselves such as changing passwords that are connected to the compromised computer systems and possibly causing collateral damage to their systems.

Can Cyber Insurance help ?

All cyber insurance policies provide an incident responses services on a 24/7 basis.

This is offered in order to help businesses manage a data breach or any unauthorized accessed to their computer systems. this includes the following:-

1.Use of public relations consultants

2.Lawyers to help manage the condientiality of the breach and to access the sensitivity of the data that may now be in the public domain

3.Mitigation of a subsequent sideways data breach that may impact on a business.

Clearly there are many reasons why a business may not wish to disclose a data breach but the pros should out shine the cons in a world where regulation and customer confidence are king.

Image : Shutterstock