An-Sofie Claeys, Verolien Cauberghe, and Mario Pandelaere have been conducting some interesting research on crisis management. Not surprisingly, they found that when entities disclosed first, even subsequent critical reports on their incidents had less impact than if critical reports appeared before the entity disclosed. Their studies were not addressing data breach disclosures per se, but the same issues would seem to apply.
Here are some snippets from their article in Harvard Business Review:
Our research focuses on an alternative approach, one that is referred to as “stealing thunder.” It involves self-disclosing crises and major issues before media gets hold of the story. Earlier studies on stealing thunder have found that self-disclosing organizational crises increases the credibility of organizational spokespersons. When an organization breaks the news about incriminating events, these problems will also appear less severe. In addition, organizations that steal thunder are considered more reliable and consumers are more inclined to continue purchasing their products. Our recent study adds to these findings by examining if self-disclosing an organizational crisis may be as effective as it is because old news is considered no news. When self-disclosing incriminating information, individuals will perceive the subsequent negative publicity as old news, and hence, pay less attention to it.
[…]
When an organization is not the first to communicate about a crisis, however, more attention to the critical third-party article could lead to more reputational damage. These findings can be explained by commodity theory’s stance that everything is valued based on its availability. When a commodity, such as information about a corporate crisis, is rare, it becomes more valuable. So novel information garners more attention and affects evaluations and attitudes more than old news.
I think their data are consistent with what I’ve been advocating for years: get the story out about your breach before this site or other news outlets do. If Brian Krebs, this site, or another site breaks the news of your breach before you do, you will likely be playing defense from a public relations standpoint.
That said, there are data that suggest that releasing information about a breach early may actually add to the total costs of breach response, as subsequent notifications/corrections may need to be made, etc.
So what to do? Overall, I still think the best approach is to get your story out before others do, but maybe we need more data on the costs of both approaches not just in terms of costs per person affected but in terms of churn and other factors.