From Caution To Compliance: Drafting Effective Breach Disclosures
A checklist of factors and best practices for drafting materially compliant breach disclosures, and the role of CISO vs. GC in the process.
Whats common between Sisense, ATT, Okta and Mailchimp? They all recently issued breach “disclosures.” However, the timing of the disclosures ranged from 24 hours to 3 years, and the content from "abundance of caution" with unspecified details to a detailed root cause analysis with a specific timeline.
Responding to a data breach is understandably a stressful time. Speed is of essence as the clock is ticking on notification obligations to customers. For public companies, clocks may be also be ticking to meet the SEC 4-day disclosure rule. A company may be held liable if the disclosure is delayed for too long, but also if it is deemed as inaccurate or misleading.
How do we balance timeliness and accuracy to draft effective breach disclosures that are also materially compliant with legal requirements? Who should be making these time-sensitive and consequential decisions? To that effect, this post provides a checklist of factors that companies can consider, along with the role of CISO vs. GC in the process. It also provides an analysis of the recent disclosures to highlight best practices and opportunities.
Checklist of Factors & Role of CISO vs. GC
The recent trend of enforcement actions against company cybersecurity leaders in response to data breaches, for e.g.. at Uber and Solarwinds, signals increased accountability for timely and accurate disclosures. It also raises the stakes for the Chief Information Security Officers (CISOs) and the General Counsel (GC) to determine compliance with the disclosure requirements.
While the actual determination would be based on facts specific to each situation, there are generally applicable factors that should be taken into consideration. Below is a checklist of such factors, along with the role of CISO vs. GC (or the equivalent cybersecurity leader and legal counsel) in this process:
Facts:
- Does the company have sufficient facts to understand the nature and the extent of the breach?
- Does it know with some degree of certainty when it started, what kind of information was compromised, how many people were affected, if the exposure is ongoing, and what steps can be taken to mitigate the risk?
- Was the compromised information protected in some way, e.g. hashed or encrypted?
These questions require technical understanding of how the information was stored and may have been compromised. These should be addressed by the CISO with input from the incident response team.
Impact:
- Depending on the facts, does the company have an assessment of the impact of the breach?
- Does the compromised information comprise personal data, or can it be used to obtain personal data of affected users?
- In other words, does the compromised information directly or indirectly result in exposure of personal data?
These questions require a technical understanding of the facts combined with a legal understand of what comprises personal data. The CISO and GC should collaborate to determine the impact of the breach, which is the threshold inquiry tied to the notification obligation.
Notification:
- Depending on the facts and impact of the breach, whether and when does the company have an obligation to notify the affected users?
- What details should be included in the notification?
- What are the company obligations for breach notifications under the customer contracts, and under any applicable laws?
For e.g. if personal data of EU citizens is impacted, the GDPR requires a disclosure within 72-hours that should include the nature, scope and likely consequences of the breach.
These questions require understanding of the law. The decision should ultimately be made by the GC based on applicable law to ensure compliant disclosure.
Best Practices and Opportunities
We reviewed the above-mentioned recent data breach disclosures to highlight the best practices and opportunities. Below is a summary of our findings.
Sisense: Among the most recently reported breaches, this is likely still under investigation. The company informed its customers about a potential incident with no specific details on Apr 10, 2024. A federal agency, CISA, issued a warning next day confirming the breach and compromise of Sisense customer data.
- Timing: The timing from initial knowledge of exposure to the initial notification is unclear.
- Accuracy: Start date and other details: Not specified. Guidance on cautionary steps to mitigate: Yes.
- Summary: Notification issued without complete impact analysis. No root cause analysis available yet.
- Issued by: CISO
- Company type: Private. Not subject to SEC 4-day disclosure rule.
AT&T : This is a 2 part breach spanning 3 years, with the notification arriving only recently. An initial set of data was exposed online in Aug 2021 which the company denied and issued no notification. A larger set of 73 million user data was published online in March 2024, including 7.9 million current customers, after AT&T issued advisory to customers to reset password. A formal notification of data breach was issued in April 2024 to 51 million users.
- Timing: Time between first exposure and notification was 3 years.
- Accuracy: Date started: 1st exposure: Aug 2021, 2nd exposure: March 2024. # compromised: 73 million. Impact: Account records, including passcodes. Guidance on cautionary steps to mitigate: Yes.
- Summary: Notification delayed in favor of verification and impact analysis, which the company completed 1 month after the 2nd exposure. No root cause analysis was published.
- Issued by: Outside counsel
- Company type: Public. Subject to SEC 4-day disclosure rule.
Okta: The company first learnt about suspicious activity from customer on Sep 28, 2023. It received additional reports from customers including indicators of compromise over the next 2 weeks, after which it issued a detailed notification with root cause analysis on Oct 19, 2023.
- Timing: Time between first exposure and notification was 2 weeks.
- Accuracy: Date started: Sep 28, 2023. # compromised: 134. Impact: Account files, including session tokens. Guidance on cautionary steps to mitigate: Yes.
- Summary: Notification slightly delayed in favor of detailed impact analysis.
- Issued by: CISO
- Company type: Public. Subject to SEC 4-day disclosure rule.
Mailchimp: The company detected unauthorized access on Jan 11, 2023 and immediately issued notification on Jan 12, 2023.
- Timing: Time between first exposure and notification was 24 hours.
- Accuracy: Date started: Jan 11 2023. # compromised: 133. Impact: Email account access. Guidance on cautionary steps to mitigate: Yes.
- Summary: Notification issued after expedited impact analysis.
- Issued by: Company blog (no name). An earlier blog post was signed by CISO.
- Company type: Public. Subject to SEC 4-day disclosure rule.
Conclusion
To recap, a disclosure that is deemed as delayed or misleading may undermine the companies's breach response efforts. The checklist of factors shared in this post should help companies balance timeliness and accuracy, and better understand the the role of CISO vs. GC, when drafting breach disclosures. The post also provided an analysis of recent disclosures to highlight best practices and opportunities.
Connect with us
If you would like to reach out for guidance or provide other input, please do not hesitate to contact us.