People use the word breach all the time. It’s been a familiar phrase in the technology world to signal the presence of a cybersecurity incident. Once commonplace around the office, in technology articles and even frequented by leadership, companies are now being cautioned not to use the word breach. But why? Wayne Selk, vice president of cybersecurity programs and executive director of the CompTIA Community Information Sharing and Analysis Organization (ISAO), and Blair Dawson, data privacy lawyer and breach coach, explains why you should never use the word breach.
What Breach Used to Mean
For many, the word “breach” itself may draw a particular incident to mind, perhaps accompanied by a heavy dose of negative memories. In years past, the term was used to denote a situation where something unauthorized was happening within any of their systems.
“A little bit of history … companies and technologists would often use the word breach to describe any and every cyber incident,” said Selk. “It was frequently used when there was unauthorized access gained to a network because it meant that someone had gotten past the firewall.”
However, this no longer stands and the technology industry is struggling with purging the terminology. “The industry didn’t do itself any favors,” said Selk. “But it really became a problem when most privacy laws went into effect.”
What Breach Means Today
With the implementation of privacy laws, the word breach now has a legal meaning. “People use the word breach colloquially, but it’s actually a legal term of art,” said Dawson. “The word involves the compromise of personally identifiable information (PII) that triggers notification obligations and that’s when there’s an actual breach.”
Just because you know that someone has unauthorized access to your network does not necessarily mean that a breach has occurred. And legal experts advise that you shouldn’t even use the word until an actual breach is verified.
Using “breach” prematurely can have negative consequences, including errantly messaging to concerned stakeholders that their personal information has been compromised and could lead to business partners, potential claimants and the like arguing that the timing for notification started to run the moment the word is uttered (rather than at the point a breach is actually confirmed). Once a breach has been confirmed, the clock for notification arguably starts ticking, Dawson notes.
“However difficult it may be, you really need to watch your language during a cyber incident,” Selk says. “Your words matter.”
What You Should Do During a Breach
Dawson recognizes that the need to over-communicate comes from a good place. Companies want to be transparent and honest with their employees, business partners and clients. But Dawson recommends only communicating the absolute necessities and only that which can be confirmed and verified until you truly understand what is happening.
Here are a few tips from Dawson on how companies can remain legally compliant while also doing right by their clients:
- Immediately assemble your incident response team and implement your response plan. “You want to contain the incident, but also be able to show that you took action to resolve the issue as quickly as possible,” encourages Dawson.
- Get your cyber insurance company involved as soon as possible. You want to know exactly what your policy looks like so you can make quick, informed decisions. They can also advise you who needs to be involved to avail yourself of all coverage available and connect you with the right experts for mitigation. The recommendation may vary depending on the type of incident you’re experiencing. “If you’re dealing with ransomware, you may need a ransom negotiator in addition to a forensic investigation team,” cautions Dawson. “Each case is different.”
- Document your actions. In the event that you are actually experiencing a cyber incident and you need to contact regulatory agencies, you’ll want documentation to support what actions you took. It also helps keep the incident response team all on the same page. “Regulators are getting more and more aggressive and can and will reach out to an organization after being notified of a cyber event to try to understand what alerts were received, what took place, how the incident was responded to and what kind of risk prevention an organization has in place so it doesn’t occur again,” notes Dawson. “It is not uncommon that there will be a full investigation.” Breach counsel can assist with all of this.
- Only communicate what is verified. Although you might feel that transparency is warranted, over-communicating can have negative outcomes for everyone involved. “Making false statements can really undermine your credibility and hinder your relationships,” she warns. “You might feel you’re being transparent when you’re actually creating undue anxiety.”
- Follow advice of the experts retained on the organization’s behalf, including legal counsel and forensics. Expert teams know what they’re doing and they’re focused on advising an organization during a cyber incident to achieve the best outcome. But Dawson warns that even where expert counsel is involved during an incident there can still be friction and delays when an organization hasn’t done the work to prepare for a crisis. “It’s important to have a team of decision makers in place when a situation arises,” she said. “Delays occur when the right people aren’t present and that can really cause heightened anxiety during what is already a stressful event.”
Ultimately, resolving a cyber incident comes down to due diligence and adequate preparation. Both Selk and Dawson encourage MSPs to make sure they are ready with comprehensive incident response plans and realistic tabletop exercises. “Remember, the moment someone uses the word breach the clock starts running and is difficult to walk back,” warned Selk. “I strongly recommend companies simply strike the word from their vocabulary.”
Raise Your Cyber Awareness.
Learn more about earning the CompTIA Cybersecurity Trustmark.