How Companies Should Handle Data Breaches

Step 1: Don’t wait until a hack takes place.

Publix supermarket in Winter Haven, Fla.

Publix: Food & Pharmacy & Forward Thinking on Cybersecurity.

Photo courtesy Josh Hallett/Flickr

In the wake of reports of several high-profile, large-scale data breaches in the past year—most recently at JPMorgan Chase & Co.—you would expect companies to be spending more time, and money, fortifying their systems. Still, last week’s news that supermarket chain Publix was looking for a “PR/Crisis Management and Breach Response Planning Provider” to “provide assistance preparing for, and during a data breach, (e.g. advice and assistance with messages)” took me a little by surprise. At first it seemed sort of silly. Why waste time and energy planning the messages you’ll send out after discovering a breach when you could instead be focusing on preventing and defending against such a breach? But on further reflection, Publix’s emphasis on security incident PR actually struck me as a potentially important step in changing the way we think about data breaches. In fact, this is not a superficial issue but a fundamental question, which if properly addressed could help change how little we know about computer security breaches and how well-equipped we are to defend against them in the future.

To be fair, I have no idea what Publix execs are looking for in a PR firm—possibly they imagine press releases that downplay an incident’s impact (Only 2 million payment card numbers were accessed from our database—that’s 95 percent fewer than were stolen from Target!) or that reassure customers that everything has now been fixed (Our systems have now been quadruple firewalled with eight super-strength encryption algorithms protecting your data 24/7!).

If the Publix honchos asked me to write that press release, though (and I think it’s safe to assume that they won’t), here’s what it might say about a hypothetical breach:

Our computer systems—like everyone else’s—are periodically compromised, resulting in the disclosure of customer data and the disruption of store services. Recently, one such incident occurred in which the perpetrators were able to access our customers’ payment card numbers by manually installing malware on our point-of-sale systems. While this was the only incident we detected in recent months in which an intruder successfully accessed customer data, there were a number of “near-misses” during that time, in which we detected apparent attempts to breach our defenses that were ultimately unsuccessful for the reasons detailed below. These are only the incidents we know about—we know there are more, and that there will be more, and because we care about your security, we have not only made the changes to our store systems’ security described below, but we have also redoubled our efforts to monitor our networks and flag anomalous activity, data exfiltration, and other suspicious indicators. We hope that in the future we’ll be able to share with you details of more—not fewer—incidents and near misses. That will mean that our—and your—security is getting better.

Mind you, I have no idea what the actual story is over there at Publix, I’m just writing an all-purpose full-disclosure press release that would work in some form for almost any company that was diligently monitoring its networks. And furthermore, I’m no PR expert (clearly), but I get why that’s a tough strategy to sell, especially in the current climate, where every data breach announcement gives rise to the same kind of headline: “JPMorgan’s Supersize Data Breach Hits 76 Million Households,” “Target Cyber Breach Hits 40 Million Payment Cards at Holiday Peak,” “Neiman Marcus: 1.1 Million Credit Cards Exposed in Three-Month Hack.” Imagine what would happen if a business revealed several hundred breaches at once. It’s no wonder that no company wants to release any more information than absolutely necessary about its security. But that leaves us having the same conversation, time and again, about the same set of incidents that result in the breach of personal data and how many people or households or credit cards that data was tied to.

In fact, there are few things less important for thinking about why a security breach was successful, or how to better defend against one in the future, than the number of households it affected. Those numbers mostly serve to scare us with their sheer magnitude (and they make for good headlines—I’m sympathetic to that), but they tell us next to nothing about what actually happened, or what security measures were in place and why they were inadequate, or what security measures weren’t in place and how they might have helped, or even how much harm was actually inflicted on the victims. And for the most part, no one wants to release any of that information—no one wants to release any information at all beyond what they’re absolutely legally required to release—because they fear it will just be folded into yet another story about their negligence and the barrage of cyber-attacks they face and the millions and millions of people who (may) have been affected, rather than a story about their aggressive detection and defense efforts and the lessons they’ve learned that may be useful for others.

Of course, negative publicity isn’t the only reason companies may be reluctant to disclose information about security incidents voluntarily—there’s also fear of incurring legal liability or providing useful information to would-be attackers, for instance. And certainly some companies deserve the bad press and the accusations of negligence. But plenty others don’t. They deserve to be rewarded and praised for discovering so many security breaches; they have much more important things to tell us than just how many credit card numbers were stolen. But they fear the headlines that would result from publicly admitting that they had detected hundreds—or thousands—of threats on their systems. Someday, I hope, a brilliant PR firm will be able to turn that into a badge of honor and we’ll all be able to learn more about a wider variety of security incidents and their root causes—not just read about how many millions of people’s records they involved.

If the PR approach fails (or if no one is ever brave enough to attempt it), security incident reporting policies may help. The European Union, for instance, is in the process of trying to create a more comprehensive security reporting regime, which has lots of problems in terms of whom it applies to and what they’re asked to report but an ambitious and worthy aim of trying to broaden our visibility into security incidents. The governments in the EU (and other countries, for that matter) would be wise to take the lead in this area and set an example by reporting more broadly on the incidents they themselves witness on their own networks. In the United States, security reporting regulations are mostly limited to breaches that involve the disclosure of personal data—meaning we know very little about the wide range of security incidents that aren’t targeting credit card and Social Security numbers, and even less about the near misses, or incidents in which perpetrators are successfully stopped before they access such data or achieve some other malicious goal. And think how much we could be learning from those near misses, how helpful it would be to have a better sense of how to stop criminals! I’d take that information over the number of credit card numbers they accessed any day.

That’s the real pity of the current security reporting climate—that we’re so focused on how many sensitive numbers or how much data has been stolen that it’s blinded us to the more important elements of these incidents and made many organizations extremely gun-shy about sharing anything more than the absolute minimum of legally required information. If you happen to be someone who studies defense of computer systems (which I do—at least until I launch my wildly successful career as a PR maven), then that means you’re left analyzing widely publicized failures of corporate defense systems, with very little information on the successes and near successes of those same systems. But more importantly, it means that there’s a wealth of valuable security lessons and interesting, relevant analysis out there that isn’t available for discussion because the organizations involved are scared to release the information. So some good PR for security incidents really could change the discourse, and let us discuss these systems more openly—and that could have tremendous benefits for everyone. So I’m hopeful about the Publix strategy and the possibility that it and other companies may successfully rebrand security incidents, near incidents, and non-incidents.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.