Now or Later? Lessons for Communicators From Data Breaches

Another day, another data breach. Or a potential data breach. Maybe.

By their nature, data breaches are tricky. As such, perfect knowledge about a breach rarely is available quickly. That's why it's common for estimates to fluctuate about how much data was exposed.  This uncertainty causes some brands to delay announcing they've had a breach.

Lesson: Granted, it's hard to admit you lack all the details. Sometimes, though, communicators must urge brands to make such admissions. Think about your customers. Shouldn't you tell them fairly quickly that there is a potential data breach? Would you rather wait a few days. How about a few weeks or months?

Good or Perfect?

Lesson: Anna Keeve, communications director at cybersecurity firm PolySwarm, acknowledges the conundrum. Never compromise accuracy for speed when making a breach announcement, she says.  On the other hand, detail may need to be sacrificed at the expense of speed, Keeve adds, "especially if there is an imminent and present threat to the customer."

Brands, we know, often are reluctant to release details during a PR crisis. It's the same with a data breach. The difference with a breach is a brand can say it's not talking for security reasons. That's understandable, sometimes.

Lesson: But can the public know for sure that security concerns led a company to wait before admitting a breach? How about what Google did with a breach at Google+ last year? It waited 7 months to reveal a breach. 'We had it under control quickly, so we didn't need to make it public.' Really?


That's one of the things about a data breach, if the effected company doesn't disclose it, how is the public to know? Therefore, it's tempting for brands to keep quiet about a breach.

Certainly companies disclose breaches voluntarily; too often they delay.

Google+ was bad, but the poster child for delay is Equifax. It discovered suspicious activity in its system in late July 2018. Equifax disclosed its data breach Sept. 7. The eventual damage: 145.5 million Americans had their financial data exposed.

In the interim several executives unloaded their shares and the Equifax CEO (now the former CEO) accepted an executive-of-the-year award, just days before the fateful Sept. 7 announcement. Incidentally, that announcement failed to include the word "breach."

Par for the Course

Lesson: Data breaches have become a fact of life very quickly. In a June 4 report, data security firm Forgerock said the cost of cyberattacks in the U.S. financial sector was more than $6.2 billion in Q1 2019, up from $8 million in Q1 2018. 97 percent of the time hackers go after consumer data, Forgerock said. In all, cybercriminals exposed 2.8 billion consumer data records in 2018. The cost to U.S. brands and organization was more than $654 billion.

While financial services and healthcare are prime targets, nobody is immune. That makes the quick poll Rick Gould conducted last year more worrisome. He surveyed 22 PR firms about their cybersecurity plans. Only half had them.

The Latest

The newest breaches (at least those we know about) involve Australia's National University (ANU) and the huge U.S. lab-testing company Quest Diagnostics. [See update below.]

Lesson: ANU took two weeks to announce its breach. The hackers had access to student and faculty data (contact and payroll info, bank accounts and more) stretching back 19 years. That's a lot of data.

Should ANU have waited two weeks to inform stakeholders about the breach? Was it a security concern that necessitated waiting? Perhaps. Hackers hit the school last year too.

Quest's Timing

Closer to home Quest seems to have acted honorably, if deliberately. On May 14 a vendor, AMCA, informed Quest and Optum360, a Quest contractor, that an "unauthorized user" might have gained access to AMCA's system. That system contains personal information AMCA received from Quest and other entities. Two weeks later, on May 31, AMCA confirmed the malfeasance to Quest.

Today (June 4) Quest told the public of the breach. It said data of 11.9 million people might have been compromised. AMCA has yet to provide Quest or Optum360 "detailed or complete information" about the incident, it added.

Chicken or Egg?

NBC News said Quest made the announcement in an SEC filing. The intimation, at least to us, was that Quest buried it. Other outlets, though, noted Quest announced the breach in a press release. Which came first, the SEC filing or the press release?

In response to a question from PRNEWS, Rachel Carr, a Quest communicator, said the release and the SEC filing "were both issued on the same day [June 4]."

Quest refused to answer an earlier question from us: Why it waited two weeks to inform its customers of a possible breach.

The new reality with data breaches, Keeve says, "might be that sometimes it is better to come out with what you know (and don’t know) sooner, rather than come out with everything you know later."

Seth Arenstein is editor of PRNEWS. Follow him: @skarenstein

Update (June 5, 2019, 10am ET): Another company that works with AMCA, LabCorp, said yesterday that data of 7.7 million of its customers was compromised.