When is evidence not evidence? When it is referenced in a breach notification.

There have been numerous cyber incidents which have required press releases and notifications to regulators and data subjects. Many of these notifications reveal common wording techniques which, as a digital investigator of many years, I find it hard to swallow because they are either inaccurate, misleading or downright lies.

The most recent example being the incident at Travelex, where press releases and other corporate communications have had to roll back on initial assurances that personal data has not been breached.

A false sense of security

The first of these is the statement "your security is important to us" or something similar. This is generally preceded by the headline "we are sorry but we have suffered a data breach..".This is an oxymoron! Often, it is precisely because the organisation suffering the breach has not paid attention to the importance of security that has allowed attackers to compromise the systems and steal the data. The vast majority of organisations who suffer these incidents have simply not invested adequately in IT or security technologies and the expertise needed to operate them. Perhaps it is true that since the incident, the victim organisation has become more focused on security and now considers it important. Great, as long as it lasts, but little solace to those data subjects who may now be the targets of cyber criminals and fraudsters.

When is evidence not evidence?

The second statement is usually akin to "we have found no evidence that personal data has been breached." Again, usually a misleading statement because it suggests that the organisation has systems configured to record events related to data exfiltration.

In actuality, very few organisations have implemented suitable monitoring systems so the lack of evidence is actually due to a lack of capability to record it.

It is therefore vitally important that digital investigators assist both Legal and PR advisers who advise affected clients on the wording of breach press releases and notifications to determine the client's true capabilities in security and the production of evidence before using wording which may mislead regulators, data subjects and the public.

Of course, it must be appreciated that revealing this lack of security and control to the press, regulators or data subjects would not be in the best interests of the victim organisation but playing on words to indicate security and monitoring capability where none exists also cannot be in their best interests.

Whilst the aim may be to protect a client's reputation given the lack of controls, it is not always an easy thing to do. After all, if the client's had implemented adequate controls it is likely they would not have suffered the incident in the first place.

Finding the best risk mitigation strategy

After investigating hundreds of cyber incidents, many of which have been data breaches, my team has learned that the best way to help the client manage the risks to their business resulting from such incidents is by providing truthful information to third parties.

The Regulators are not stupid! They have seen more breach notifications than any of us. They know that most organisations who are victims of cyber crime are unlikely to have had adequate security. They also know that few such organisations will have implemented systems and processes to give them the ability to reliably know whether or not data has been exfiltrated.

Surely, making misleading claims is more likely to attract regulator scrutiny and therefore invite precisely what the victim organisation does not want to happen. Perhaps data subjects will be less knowledgeable but this does not mean that they all will be and all it takes is a suitable number to complain to the regulators and the likelihood of uninvited scrutiny will increase.

The best way for the executive management of victim organisations to manage the risk is to be clear and honest and to avoid claiming or insinuating the existence of levels of control which will not stand up to scrutiny.

Failing to plan is planning to fail

The ideal opportunity to consider a notification strategy is in the planning for cyber incidents. Early (pre-breach) consideration by executives will allow them to decide if they wish to claim capabilities in security and the presence of evidence; or indeed other controls, in press releases and notifications to regulators and data subjects. If they do then they first need to ensure that their organisations actually have these capabilities so investment will be needed.

The truth will out

Regardless of plans, it is most important that the executives of victim organisations and their legal and PR advisors seek accurate answers to questions regarding the state of their systems security and ability to detect and produce evidence of data exfiltration before deciding on the form of wording which is appropriate for required press releases and notifications to regulators and data subjects. Failing to do so risks not only reputational harm but the spotlight of the regulators, raising the spectre of significant financial penalties and legal costs it will take to defend them.