Consequences of the Late Announcement of Cyber-security Incidents
Cyber-security attacks that are becoming more and more common among various types and sizes of organizations may have serious effects on electronic communication networks, provision of services, and national security. Although significant breaches that affect many users or extensively disrupt the functioning of an organization usually receive extensive media coverage, smaller security incidents may remain unreported to the public. This can occur because of several reasons. For example, the affected organization may become aware of the incident later, it considers the incident insignificant (e.g., no personal data has been accessed), the local law does not impose requirements on reporting cyber-attacks, or, after conducting balancing tests, the reporting of the incident will cause substantial damages. Nevertheless, in practice, late announcement of cyber-security incidents may be beneficial only in a small number of very specific and selective cases. In most cases, late announcement of incidents may cause significant reputational harm and possible legal liabilities.
It is important to note that the laws of some jurisdictions impose short time frames and strict procedures for reporting computer security incidents, especially those entailing personal data breaches. For example, the new soon-to-come EU data protection law (GDPR) stipulates that, if a security incident that includes a personal data breach may result in a risk to the rights and freedoms of natural persons, it should be reported to the national supervisory authority within 72 hours after the organization becomes aware of it. In the US, the reporting timeframe depends on the type of the cyber-attack experienced by an entity. The US Computer Readiness Emergency Team should be notified about reportable incidents within an hour or two after the discovery of such an incident. In addition, there are voluntary incident reporting schemes and requirements imposed by industry-specific regulators. For example, in summer 2017, the European Central Bank (ECB) imposed new mandatory tailored cyber incident reporting requirements that do not stem from legislation on more than 100 banks.
Incident response plan
Implementation of organization’s incident response plan and incident reporting timeframes depend on various aspects of the cyber incident, such as the type of the organization that has experienced the attack, the data and/or systems that have been accessed, as well as the severity, scope and the type of the attack. In addition to national agencies that should be contacted in case of an incident for receiving assistance in coordinating the incident, it is a good industry practice of an organization to report incidents to their clients and the public in general. Such an external communication strategy, which usually includes informing clients by e-mail and preparing press releases, accompanies internal communication during the mitigation of the incident.
Failure to report timely
Due to the fear of possible adverse effects of security events or belated information about such events, some organizations fail to announce the experienced attack promptly. By way of illustration, in late November 2017, Uber notified its users worldwide about the massive incident that had occurred in 2016, a year before the actual announcement date. During the attack, hackers accessed personal data of 57 million Uber users, including their driver license numbers, names, and phone numbers. The breach was facilitated by accessing third-party cloud storage used by Uber’s systems. Nevertheless, to avoid the reputational impact of this large-scale event, Uber did not notify its users and law enforcement bodies. Instead, the company paid USD 100.000 to the hackers asking to destroy the obtained personal data.
Intentional or unintentional late public disclosure practices may have benefits and drawbacks that are further discussed below. We do not consider the legal liabilities for not complying with timely reporting requirements as they may differ depending on the jurisdiction in which the affected organization is operating.
A benefit of late announcement
The main benefit that can stem from a delayed public reporting is a possibility to mitigate the associated reputational harm and mitigate the damages related to it. The organization may “postpone” the immediate negative reputational effect of the incident and rely on the possibility that, in a perspective of time, the incident would be less severe. The effect of such a measure can be twofold. The difference in a psychological perception of the incident that has just occurred and the incident that happened a long time ago may make such an action plan effective. However, it is of utmost importance to note that such a move may also have a completely
reverse effect. The organization may be a negligent undertaking that does not respect its clients, partners, reputation, and honest industry practices.
Other situations in which organizations may choose to announce the cyber incident later are those particular cases when an immediate reporting could cause physical harm to persons, organizations, environment, or affect the confidentiality, integrity, and availability of other secured data.
Drawbacks of late announcement
The drawbacks related to the late announcement of cyber-security incidents include the following:
- Preventing the rise of awareness about the incident. The targeted organization may not be the only victim of the attack as more entities can be affected by it. By not discussing the incident publicly, the affected organization cannot share and receive helpful information (e.g., information about perpetrator’s tactic, a timeline of events, and effective mitigation techniques) that can help to avoid the incident in the future.
- Preventing victims from taking remedial action immediately. By failing to inform the affected parties about the incident, the organization will prevent the victims from taking actions immediately and employing preventive measures for possible future incidents.
- Losing the chance to test incident response plans and practice external communication strategies. Although an incident response plan drafted and maintained by an organization may be foolproof, its strengths and flaws can only be seen in practice. Thus, by applying an incident response plan in a real-time environment, an organization can assess the effectiveness of its cyber-security strategies.
To conclude, external and internal communication strategies are essential elements of an effective incident response plan. They regulate not only mitigation of incidents within the organization, but also assist in limiting the reputational harm that follows them. It is important to stress that a well-structured, professional, and detailed announcement of a security incident may mitigate the adverse effects the event, share good practices, and keep transparent and reliable relationships with organization’s partners. Finally, a timely public dialogue about the incident may evolve into a broader discussion about the core of the problem and help to find a solution.
Late announcement of cyber-security incidents can rarely be justified or beneficial. Usually, the failure to announce an incident promptly will discredit the compromised organization and raise legal liabilities.
- ENISA, EU Agency for Network and Information Security. Available at https://www.enisa.europa.eu/topics/incident-reporting
- Larson, S., ‘Uber’s massive hack: What we know,’ CNN, 23 November 2017. Available at http://money.cnn.com/2017/11/22/technology/uber-hack-consequences-cover-up/index.html
US-CERT, Incident Reporting System. Available at https://www.us-cert.gov/forms/report?
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.