By Karen Sprenger   /   Sep 8th, 2020

Stop Data Breach Shaming: Ending the Data Breach Notification Stigma

Let’s talk about theft. If an armed robber holds up a bank and leaves with cash, is your first inclination to blame the teller who handed over the money? It’s likely not, and most financial institutions and retailers have rules that require their employees to cooperate with armed assailants. What about blaming the security team who didn’t stop the armed assailant? Probably not – they were focused on keeping everyone safe.

In this scenario, there is a very real threat to life and limb. So, what if the theft occurred after hours, the robbers went into the bank, bypassed all security, and left with millions? Now, is the bank to blame? Or do we blame the criminals who stole the money?

When a company experiences a data breach, our first response is usually to ask, “Who’s to blame?” or “What did the company and/or employees do wrong?” Why is a data breach notification a cause for criticism?

The Blame Game

In the after-hours bank scenario outlined above, few would place all of the blame on the bank. Yes, behind the scenes there are likely “lessons learned” meetings happening, analysis into how the security systems were bypassed, and discussions about what needs to be done to strengthen security. But, in the court of public opinion, you likely won’t see the bank or its employees raked over the coals. Most people and publications will recognize that the bank is a victim of a crime and that the robbers themselves shoulder the majority of the blame. You definitely wouldn’t see headlines like this one from 2017: “Former Equifax CEO blames breach on a single person who failed to deploy a patch”. (If your security program relies on one person applying one patch, then it’s time to re-evaluate – but that’s for another discussion.)

So why do we shame companies who have experienced a data breach?

A Data Breach Notification Feels Personal

One thing that sets data breaches apart from a bank heist or other theft is that the items lost are very personal. When we get a data breach notification, the data lost is our data. If a bank loses money, its customers are insured against losses and can generally be made whole. If a company loses our data, it’s more complex.

A loss of credit card information can be a huge inconvenience for sure, but ultimately the card can be replaced. However, when our social security number or medical records are lost, those are irreplaceable.

Companies who experience a data breach are victims of a crime. Unfortunately, at this time, the criminals who violate the companies are rarely caught, whether due to geographic location, lack of evidence, or obfuscation. So, the anger people feel when they receive a data breach notification is directed back at the company they trusted to hold the information.

What’s Next?

On August 1, 2020, Security Boulevard released their take on the “5 Biggest Data Breaches of 2020 (So Far)”. The list likely won’t surprise you, as all five are well-known companies (and data breaches) – Twitter, Marriott, MGM, Zoom, and Magellan Health.

However, the list should give you pause. These are all large corporations who invest in information security and have internal information security teams, but they still got hit. Part of looking for someone to blame, is looking for a reason it won’t happen to us. (Aren’t you secretly wiping your brow, and saying, “Thank goodness it wasn’t my company!” with every new headline?) Data breaches, like most crime, can be targeted or random, and they can happen to anyone at any time.

Rather than focusing on placing blame, or shaming companies when you hear a data breach notification, let’s focus on what we can each do to prevent a data breach. Let’s also work on learning from the pain of others and share solutions rather than pointing fingers.

What Can You Do?

If you want to avoid issuing a data breach notification, the primary thing you can do is to educate yourself and your employees. Here are some tips:

  • Help employees learn how to spot a scam – offer training on how to avoid phishing emails or phone calls (vishing).
  • Add systems such as spam filters, SIEMs, and anti-virus/antimalware to help – but recognize that these strategies will not catch everything.
  • Encourage employees to report suspicious emails, phone calls, or behavior. Rather than punishing an employee who clicks a link, thank them for reporting that. Creating a culture that shames those who fall for a phishing scam simply means that they will no longer report their mistakes, and you will have less time to react.
  • Keep your Incident Response Plan up-to-date and practice it. When you experience an incident of some kind, you need to be prepared. Every member of the IR team (which needs to include non-IT personnel like communications, legal counsel, and executives) must understand their role and be ready to react quickly. Discuss critical information and decisions in advance – do you have cyber insurance? Who files a claim? Who decides whether to file a claim? Would you ever consider paying a ransom? Under what circumstances? Who makes that decision? In the middle of a crisis, is not the time to be asking those big questions.

What to Consider if You Have to Issue a Data Breach Notification

If you experience an incident, consider sharing as much as you legally can so that others can learn from it. Recently, the SANS Institute, an organization dedicated to cybersecurity training, experienced a data breach. (Yes, it really can happen to anyone at any time.) Rather than remaining silent, SANS took the unprecedented step of releasing the indicators of compromise for their breach, so that – true to their mission – others can learn from it.

The next time you read about a data breach in the news, learn as much as you can, reassess your own security, and take a moment to spare a thought for the employees responding to it. Please think twice before you shame companies for issuing a data breach notification.

About the Author

Karen Sprenger

Karen Sprenger is the COO and chief ransomware negotiator at LMG Security. She is a noted cybersecurity industry expert, speaker, trainer, and course developer, in addition to managing LMG Security’s operations. Karen has over 25 years of experience in cybersecurity and information technology. She is a GIAC Certified Forensics Examiner (CGFE) and Certified Information Systems Security Professional (CISSP).  Karen is a hands-on executive; she built a Fiber optic network to 34 schools, supported 18,000 users, 50 miles of network, and one very temperamental vending machine, led many of LMG Security’s large incident response cases, and negotiated and paid ransoms. She is a long-standing teacher of a technical leadership advancement course for a large state agency, and speaks at many events, including the Institute of Internal Auditors, the Internal Legal Tech Association, and the Volunteer Leadership Council. Karen also implemented and constantly enhances LMG’s Security’s incident response and project management systems, as well as automating financial procedures to ensure consistency and client satisfaction. In her spare time, Karen considers “Digital Forensics” a perfectly acceptable answer to the question, “But what do you do for fun?” She is also part of the exclusive group of “techie geeks with strong communications skills,” and her superpower is providing understandable explanations of technical topics. Karen is proud to have played a substantial role in building the team at LMG Security with a focus on hiring top technical talent who can also communicate well with clients.