- Claire Tills
Breach response expectations: cliches impeding change
There have been enough large-scale data breaches in the news that people now have expectations for how companies respond. There's a script. This script doesn't necessarily leads to successful responses. It just means that people expect companies to communicate in certain ways when they have been breached.
People are more comfortable when their expectations are met, even if those expectations are low or bad. The closer something is to what we expect for a situation, the more likely we are to accept it. We won't look as closely or be as critical because it fits our script for what could or should happen. (Obviously there are exceptions to this)
When there's a breach, people expect to get an email in barely understandable legalese that offers them three months to one year of identity theft monitoring and probably a new credit card to follow.* They expect that the organization won't have a satisfactory answer for how it happened. If an organization meets these expectations, people won't necessarily be happy about it but they're less likely to demand change.
*Credit monitoring appears to be more of a US-specific phenomena - it at least isn't universal in every country
Let's look at some of the other expectations people currently have.
Notification: How do people learn about the breach? While there are legal regulations for whether, when, how, and to whom organizations announce a breach, we've seen time and again that these regulations can have loop holes, leave some people out of loop entirely, or just be ignored. There isn't one way people hear about a breach. However, there are some common trends.
Media - frequently, people first hear about a breach from the media (directly or second-hand). Perhaps the organization announced it itself or the story was leaked by a researcher/whistleblower. These are two very different cases cause but the second scenario is happening enough that people aren't as shocked by it anymore. If the organization announces the breach proactively, the perception is that this is a big breach but they aren't trying to hide anything. If it was a smaller breach, a big announcement to the media wouldn't be necessary. If the announcement isn't by the organization, the perception is that they were hiding something or were incompetent enough that they didn't know they were breached - neither good options.
Direct notification of victims - the first someone hears of it is an email from the organization saying "your records may have been compromised" or whatever. Lately, this happens mostly for smaller incidents, larger breaches are covered by the media first. If the breach doesn't build into a media storm, people will likely disregard the breach. They think "It didn't look like the company was trying to hide anything and if it was something I needed to care about, other people would be talking about it."
Delayed/ambiguous notification - This one is more common than I like and it's definitely the worst for everyone involved. People can't figure out if they're impacted based on the communication or it's revealed that the organization tried to skate by without notifying victims at all. The second situation is objectively bad. The first also isn't great but it's more common - it's hard to determine exactly who is impacted sometimes. I think people are starting to internalize the idea that they might never know if they're impacted by a breach. They might not be happy about it but they're not as surprised by it anymore.
Causes & corrective action: People already have expectations for how an organization should respond to a crisis - there are theories of communication about it - and they compare breach responses to those expectations. Here are specific trends in how organizations respond to breaches.
Executive level blame - A company goes through a crisis and some high-level executive is offered as a sacrifice. Usually they resign, some retire, a few are fired. It's a very standard, expected way for an organization to perform contrition after a crisis. "Look, we're changing - there's been a 'shake-up' at the executive level, we've learned our lesson!" In some cases, the executive departure is warranted. The executive was directly responsible for the crisis or mishandled the response. In others, it's a "we have to give them someone valuable" situation. However, because it is such a common response, it fulfills a lot of people's expectations and they can mentally move on from the incident. Act of contrition, check, incident over and on to the next.
Low-level blame - This sometimes comes packaged with the executive-level blame but can stand alone. It's a way for the organization to put distance between themselves and the blame. It's not a pervasive issue, it was one bad apple and they have been removed from the barrel. Because people don't understand security, they might not push back against this explanation and ask "how could a single person's action/inaction lead to a breach of this size, shouldn't there be checks and balances or something?" I'm curious to see whether this causal explanation becomes more common and how the public reacts to it.
Third-party blame - It wasn't our breach, it was a contractor, provider, etc. that was breached and that's how the criminalsgained access. This one isn't as common and I think many people would still be surprised or confused to see it in breach communication but it has happened. The more companies include this in their breach messaging, the more acceptable it will likely become.
These are some of the trends I've seen in breach response and what they mean for public expectations. Now that data breaches are increasingly common, people are less shocked by them. This means they aren't as outraged or afraid as they used to be - at a general level. Some people will always be outraged and afraid but, for a large swath of the public, breaches are becoming business as usual.
This isn't great if we want companies to change how they respond to breaches. If the public is building expectations for breach response based on bad examples, it increases the likelihood that companies will be able to get away with bad breach response in the future because people will expect it. It's a bad cycle that we're falling into.