With the number of cyber-attacks and the increasing ransoms, it has become increasingly important for companies to have a plan in the event of an attack. This includes how to properly release an announcement to their clients and customers.
In many cases, companies want to wait for a few days while assessing the damage to their infrastructure. This is to allow for forensics to determine the steps needed including who to notify. Each state has different requirements on and when to notify their various clientele. Sometimes though it could be days before the public is even aware of it. Equifax’s servers for example were breached in May 2017 and no one knew for two months. In Europe, companies with a cyber breach must inform their customers and regulators in Europe within 72 hours of a breach before they face significant fines, which potentially can be 4% of the net worth of the company.
In Britain, clothing maker FatFace is facing scrutiny over their response. In January 2021, their IT department noted irregularities in their system. However, it was only this week that their CEO revealed that customers Personally Identifiable Information was exposed. When faced with angry responses over the length of time it took, “FatFace claimed in the email that it had taken this long to notify as it was trying to provide “the most accurate information possible” on what had been taken and who was affected.
Customers were also angry that the email, signed by CEO Liz Evans, did not offer a formal apology for the incident, but instead requested that the recipient “keep this email and the information included within it strictly private and confidential.”
Not disclosing a cyber breach can have long term consequences for your brand and future business. Consult state laws on the issue on how to disclose and who to disclose these breaches.