How organizations delay data breach reports to bury bad news


Organizations may strategically time data breach reports to minimize their impact.

Why is it crucial to promptly and comprehensively report cyberattacks? Primarily because cybercriminals often like to exploit the same vulnerability as often as they can, so once one organization has been compromised, it's quite likely that similar organizations will be targeted.

As such, organizations should share details about attacks as quickly as possible so that other organizations, whether in direct relationships with the original firm, such as suppliers and customers, or distinct entities, can effectively ensure that their own systems are not vulnerable.

This practice would also have selfish advantages, as it would encourage other organizations to be similarly transparent, which would help your own teams ensure systems are secure.

What's more, it would also assist law enforcement agencies and regulators in managing their response to any attack and ensure that any affected stakeholders are entitled to arrive as promptly as possible.

However, not all organizations share the sentiment, with some purposefully delaying data breach reports for their own benefit.

Reputational harm

Of course, suffering from cyberattacks can have significant commercial consequences for firms. For instance, the 2019 attack on Capital One saw its share price fall by around 14% in the weeks after the attack. Equifax suffered similar consequences after they were attacked in 2017.

While research shows that the worst thing organizations can do is try to hide attacks from the outside world, there is nonetheless an understandable temptation to do just that.

Research from the Technical University of Munich highlights how firms can often fudge a combination of the two by announcing the breach to the public and to regulators but doing so on days when the announcement might reasonably be buried by other events.

"By demonstrating that firms may attenuate market reactions through strategic timing, our study helps understand the causes of the observed unresponsiveness of markets to data breach announcements," the researchers explain.

Strategic timing

The concept of "burying bad news" shot to public attention after a British government spin doctor suggested that the 9/11 attacks in the United States would be an opportune moment to push out bad news. It was a tactic also used when publishing bad rail figures on the same day as Princess Margaret's funeral. The revelations eventually led to the dismissal of the individuals involved, but the tactic has clearly endured.

"The concept of “burying” bad news raises a raft of ethical and legal concerns. It’s also a terrible business decision that can cause irreparable harm to the company and its clients," Zach Colvin, president of strategic communications agency Headstand told me. “Companies that are transparent and quick to provide news, even bad news, will ultimately be far more respected and can move to build back trust far more quickly than those who play games on the communications front. The truth always comes out. For companies that delay or obfuscate the issue, the decision could prove to be catastrophic.”

While intentionally staging the timing of bad news announcements to minimize their impact may be morally questionable, the researchers highlight how effective it is as a strategy. Indeed, they argue that it’s sufficient to reduce the hit to the firm’s market capitalization from $347 million to $85 million.

Harming consumers

While it’s an approach that can have benefits for companies, it is less beneficial to consumers, however, as the lack of appropriate “punishment” for firms can disincentivize any improvements to their cybersecurity. This is especially so as the researchers found that selecting the timing of announcements is especially common when data breaches concern healthcare and financial data.

They believe that strategically timing news about breaches is effectively undermining current data breach legislation, causing consumers and investors alike to be kept in the dark about the security of vital data and systems.

The researchers also find that strategic timing is particularly common for nonsevere data breaches, data breaches affecting public firms, and data breaches that are due to internal issues, such as theft or employee errors.

They argue that their findings demonstrate the need for lawmakers to legislate for this phenomenon and mandate significantly shorter disclosure deadlines than the 30 days that is currently given to organizations. Indeed, they argue that to avoid selective reporting, this deadline should be reduced to just three days.

"Strategic timing is harmful for consumers because it undermines the effectiveness of current U.S. data breach legislation,” the authors conclude. “Because consumers and investors receive less information about the occurrence of a data breach, less change is being promoted in firms to protect consumers against future security issues."