How to communicate data breaches to stakeholders

Massachusetts Air National Guardsman Jack Teixiera’s arrest for leaking Pentagon data has made headlines for weeks. He is a classic example of the “insider threat” who maliciously and intentionally takes actions to breach data.

But most government data breaches aren’t nearly so spy-movie ready. Despite agencies’ and contractors’ best of intentions, they happen through accidents, lack of security awareness, or social engineering attacks from external threats. That’s why many data breaches can be prevented with straightforward policy changes, use of effective cybersecurity technology, and security training.

But vigilance and preparation can’t solve every data breach risk. That’s why agencies and contractors should also prepare for how to communicate breaches to the public.

Preparing for a data breach

There is no “one size fits all” solution for effective security measures for federal agencies and contractors. However, basic security preparation and planning should include:

1. Digital solutions like anti-virus programs, proper usernames and passwords, and patches on endpoints like desktops and point of sale terminals. These steps will ensure across-the-board protection and will prevent human error from exposing information. So will proper firewall configurations, network intrusion detection systems, and the right set-up for your cloud managed service.
2. Data Loss Prevention (DLP) Solutions monitor system data in use, in transit, or at rest to detect attempted thefts in email, messaging apps, Excel files, cloud applications, and databases. This is a special type of technical solution that warrants its own category because data losses and data breaches are often the result of your team or employees inadvertently exposing data while trying to do their job, such as:
   1. Emailing a spreadsheet to their personal email so they can finish work at home.
   2. Exposing people’s personal data by oversharing data with a contractor.
   3. Including personal data (such as a home address) in the body of an email from a call center representative.

1. Security awareness training for staff. This is one of the least expensive and most effective ways to prevent a data breach. In addition to the legal & regulatory controls required by law, training should include helping your staff avoid social engineering attacks, such as when hackers manipulate someone into revealing information or performing other detrimental actions through email phishing or faking a text from the CEO.
2. How you will communicate during and after a breach. The first step is to identify the kind of data that can be breached and assess its impact on national security and private citizens’ safety. Doing this ahead of time will improve the speed and quality of your response during a breach, because you don’t want the first time you think about navigating a breach to be during the real event. The second step is to inform stakeholders about what you’re doing to protect their data. Agency heads, Congress, regulators, and watchdogs should be aware of what you’re doing and why.

Navigating the breach

We recommend building trust before a crisis because it’s hard to do so during a breach. When a breach does happen, these five steps will help plug the technical leaks and mitigate brand damage:

1. Acknowledge the facts, and don’t try to hide the breach. A cover-up is usually far worse than the mistake itself.
2. Share important data about the nature of the crisis and provide good news if possible.
3. Explain your response and why it was correct.
4. Develop and announce concrete steps for mitigating the damage and securing data better in the future.
5. Execute the steps and update stakeholders on progress.

Data security is not just an IT issue; it’s a business risk. Make a conscious decision ahead of time on how you will handle it. There are some scenarios when silence is the right solution, but we believe that most data breaches should be communicated to stakeholders as quickly as possible. This is not just legal protection; it’s also the right thing to do.

Unfortunately, the nature of modern government and contractors is that a data breach is likely a matter of “when” instead of “if.” While intentional bad actors like Jack Teixeira may require their own categories of prevention and controls, government agencies and contractors should focus most of their attention on preventing, detecting, and responding to unintentional data breaches.