This is the time of year when many sites compile their lists of worst breaches of the year. Some consider all sectors, some confine themselves to one sector. Many base their lists on number reported to some regulator.
Over the years, I have compiled my own annual lists where the “worst breaches” were not always the biggest breaches, but may have been small-n breaches with the potential for great harm.
This year, I thought about compiling a list of worst incident responses based on my experiences of trying to get information or answers. I see that Carly Page and Zack Whittaker of TechCrunch have posted a list based on their experiences. With one exception, none of the incidents they cite would have been on my list because my list tends to focus on the healthcare sector.
But even trying to focus in on healthcare incidents leaves waaaaay too many poorly handled incidents competing for top place on any such list. And when I tried to narrow it down further, I decided rather than naming individual entities who really had deplorable incident response, I would just list my criteria for inclusion on my “These healthcare entities really did a piss-poor job of incident response” list.
So here we go:
- Lack of transparency about what happened, Part 1. Too many entities went backwards on transparency this year. As examples, rather than simply acknowledging they were the victim of a ransomware attack, they couched it as a “data security incident” and made no mention of any encryption of data, ransom demand, or any ransom payment if one was made.
- Lack of transparency about when a breach was discovered. Too many entities claimed they “recently learned” of an incident when the truth was that they learned of it many months or even a year earlier. Many try to suggest that they have reported a breach within 60 calendar days of discovery by misrepresenting the actual date of discovery, which is the first day on which a breach is known or should reasonably have been known to the covered entity or business associate. It is not the first day you first confirmed everyone who was affected or all data types. It was the first day you knew or should have known you had a breach.
- Lack of transparency about what happened, Part 2. Too many entities used weasel words about how data “may have been” accessed or acquired when they knew damned well that data was accessed or acquired. They continued to try to minimize risk by claiming that they had no reports of any misuse of data.
- Lack of transparency about their obligation to notify. Some entities decided to try suggesting that there really was no need or legal obligation to notify people of a breach by using language suggesting that they were (only) notifying “in an abundance of caution” so that people could take steps to protect themselves if they thought it necessary. If you were required by law to notify, then do not suggest that you are notifying “in an abundance of caution.”
- Lack of transparency about what happened, Part 3. One of the most infuriating examples of attempts to minimize breaches occurs when entities know that protected health information has already been leaked on the dark web or clear net but they do not tell those affected that their data has been leaked. Notification is for the benefit of the ultimate victims who need to assess their risk so they can protect themselves. If you don’t tell them their data is out there publicly for anyone to grab and misuse, you have failed them totally, in this blogger’s opinion.
- Lack of transparency about what happened, Part 4. There are the entities who do not disclose breaches at all even when they are required to by law. It would be nice if state and/or federal regulators went after a few of these and hit them with huge fines and monitoring as penalties.
- Lack of transparency about what happened, Part 5. Stonewalling the media. Do you think if you just ignore our questions or refuse to answer them, we will just publish your little self-serving press release uncritically? Well, maybe some lazy sites will, but not this site, folks. No press release will ever just be published in 2023 without pointing out what information the entity has not provided or is refusing to answer.
So… if you have done any of 1-7 above in breach notification this year, expect to get called out for that behavior in 2023.
As always, this site will also always call out entities who do a good job on transparency or incident response. It’s just that there are more of the bad ones and not enough of the good ones.
Wishing you all a healthy, happy, and breach-free New Year.