Companies breached by computer hackers must inform customers that their personal information has been compromised. But when?
As 30 journalists learned at a cybersecurity demonstration last month, there's value to holding off.
Being immediately upfront with customers gives victims time to clamp down on accounts to avoid theft or other damage. Notifying users too soon, however, can damage a brand's reputation and risks inviting further attacks.
This debate turned out to be one of the most divisive among the journalists participating in a mock data breach organized by Stanford University's Hoover Institution. This was the scenario: Frizzle, our social media and Web search giant, had realized hours earlier that hackers gained access to users' emails and social media accounts.
Should we retaliate? Should we shut apps down? Should we tell authorities or business partners? Should we tell the public? Were we legally obligated to do anything?
The made-up company's business strategy and marketing units recommended to our board of directors that Frizzle immediately inform users that someone had gained access to their personal information.
My engineering team dissented. Give us time to figure out the extent of the damage and knock the attackers out of our systems, we pleaded.
We were right. The gut reaction to go public fast isn't the smart option, according to real-life business executives who confront cyberattacks daily and sat on Frizzle's board.
"It takes time to figure out what happened, and sometimes notification can cause more damage because you haven't had time to remediate it," said Ruby Zefo, Intel Corp.'s chief privacy and security counsel.
Companies can take months before publicizing an incident, if they're even required to do so, said our board, which included Uber's chief security officer, Stanford senior fellow Amy Zegart and two other cybersecurity experts.
It may be tough for consumers to accept that a company would delay notifying victims – even in the interest of having a solid grasp of the incident.
But the simulation by the Hoover Institution – a politically influential conservative think tank -- aims to create at least some appreciation of the companies' side.
Zegart introduced cyberattack simulations in 2013 (in the wake of former National Security Agency contractor Edward Snowden leaks) to a master's in business administration class she co-taught with former Secretary of State Condoleezza Rice.
People who work for members of Congress were next to work at Frizzle. They "were hungry for opportunities to learn" about digital security, said Zegart, co-director of Stanford's Center for International Security and Cooperation.
Jeff Lowenstein, chief of staff to Rep. Adam Schiff (D-Burbank), said he doesn't remember the recommendations his Frizzle public policy team made to the expert board last summer. But having never been in a traditional corporate job, he gained just the sort of empathy Zegart intended.
"I don't know what the exact policy line is, but I think it's useful to have the side of the victim," Lowenstein said.
His insights echoed what journalists took away.
Public acknowledgment of an attack could trigger legal obligations, potentially turning corporate offices into a crime scene where employees are unable to work to shut out attackers.
Providing inaccurate information could make the company look unreliable down the road, as experts said Target Corp. did during its massive 2013 breach. And you can bet that board members will compare response strategies with how companies such as Target and Home Depot fared in the aftermath of high-profile hacks.
Numerous business and logistical factors also may guide when a breach is announced. Is the CEO scheduled for major public appearances soon? Is a quarterly financial release around the corner? Is there a major product launch set?
Perhaps most important, attackers get a vote. Companies must bear in mind that hackers could bombard the company if it announces that it has been targeted and hasn't bolstered its defenses.
Zefo said the drill can affect laws, letting policymakers experience what happens when, for example, deadlines to notify potential breach victims are short and inflexible.
"You can't broad brush everything into a typical scenario," she said. "They are getting better understanding of all the angles."
Zegart wants federal judges to run Frizzle next; Zefo suggested corporate lawyers would benefit too.
"A great deal of cyberpolicy is being developed by judges who will mostly admit they have very little technical background," Zegart said.
She has surveyed undergraduates who have been through other simulations to gauge what information helped them on the job.
They didn't recall many facts, let alone use them. But they could remember the feelings of simulation. "It's a memory infused with emotion," Zegart said.