Wow. I just read some really offensive advice by Ronald Raether about what to say after a data breach.
Well, I should be clear that I didn’t read all of his advice because I stopped reading after his first answer to the interviewer:
RONALD RAETHER: The first place to start is with defining the goals. Traditionally in media management, the goal has been to control the message, to control what happens in print media and now television. In data breach response instances, I believe that the goal really ought to be to satisfy the audience, to provide sufficient information so that number one, the reputation of the company is maintained and then number two, to mitigate or prevent any litigation or government investigation that could harm the business operations of the company.
Any other privacy advocate offended by the language or the priorities? The victims of a data breach are not an “audience.” They are people who do not need to be entertained or lectured to. They are the lifeblood of the business and they have been harmed to one degree or another by a breach. So let’s lose the “audience” image, which also implies that the breached entity is now putting on an act for an audience.
Second, “number one” is not maintaining the reputation of the company. Number one is taking care of the victims of the data breach to make them as whole as possible. And number two is not mitigating or preventing litigation or government investigation. Number two is engaging forensic experts and hardening security so the business can tell its customers why they should trust them going forward.
What a shame that GovInfoSecurity didn’t interview someone who views the breach victims as individuals who need – in plain language – a statement of what happened, how the company appreciates any distress they may feel and how it will help them deal with the breach, and what the company is doing to restore trust and ensure this doesn’t happen again. Yes, the company will be concerned about its reputation and litigation, but the way to minimize those risks is consistent with an approach that really puts the needs of the customers and respect for the customers first.
Sounds like a long winded way of saying “cover-up”.