Should organisations readily admit they have been hacked?
When organisations are hacked, often they are accused of being extremely tardy in alerting the public and actively trying to conceal such incidents. However, should organisations immediately disclose that they have been hacked?
If Uber was not having a bad year already – from the poor judgement, bad behaviour and accusations levelled at its co-founder, its senior executives and the company at large – it is likely to get worse. Earlier this week, Uber revealed that over a year ago, it was hacked. In the breach, personal information on about 600,000 drivers and 57 million customers was stolen. In response, the company paid a ransom of USD 100,000 to the hackers, who promised they would delete the stolen data (Source: BBC).
Whenever a computer network breach is revealed, especially when the theft of customer data occurs, the public gets concerned. We feel vulnerable, and try to determine how exposed we might be, and much damage control is needed. It also can affect how we view the violated organisation, especially if it comes to light that they were not as vigilant as they should be with respect to network security, or that it actively sought to conceal in incident.
Unfortunately, most organisations do not admit that they have been hacked – unless their hand is forced, for example, when their websites have been defaced, or when there are other obvious signs of unauthorised access their networks.
For many, two key reasons for not volunteering that information, is the likely damage to their reputation and to limit their liability. For businesses, sales can decrease significantly, and for publicly traded companies, share value can also be affected, all of which point to loss of trust and falling confidence among consumers. Nevertheless, should organisations have a greater obligation to disclose when their networks have been compromised, especially when the public might be directly affected?
Whilst consumers are likely to answer a resounding yes, there may also be some persuasive reasons to consider otherwise.
First, and in support of consumers, the need to know boils down them being in a position to manage the potential fallout, for example, to be able to cancel credit cards, or be more thorough when reviewing their billing statements if credit card information was stolen. Also, and referring to the issue of trust, as fleeting as it might be, in a giving an organisation your personal information, a relationship is established between the organisation and each of its customers. To not share important information, such as a network breach and the data theft, demonstrates not only a lack of transparency in, but could also be seen as a breach of the trust between the organisation and its customers to keep their information safe.
In the other hand, in addition to trying to protect the its reputation, and limit its liability, organisations could overwhelm the public if every single incident – big and small – is made public. In the end, we might even end up becoming desensitised to all of those reports, and not able to quickly discern those that are minor, and those upon which we should act.
Having said this, it also worth noting that in many instances and in the absence of any overt evidence, many organisations do not realise they have been hacked, and only discover it several weeks, or even months later. Should they immediately alert the public? Whilst the public might say yes, and the organisation might agree that the public needs to know, it could boil down to timing.
When incidents are discovered well after the fact, frequently, organisations are scrambling to get answers: how it happened; what the extent of the damage incurred? Such investigations could also take several weeks or months to complete. Hence the issue an organisation may need to grapple with is whether to alert the public immediately, even if still it is trying to determine how the incident happened and the extent of the damage incurred, or should it wait until it can speak more authoritatively on the matter?
Clearly, companies running off half-cocked to the public with major gaps in their understanding of the incident they experienced is ill-advised, as it is likely to exacerbate an already bad situation – when people need answers. However, once they have a handle on the matter, and their customers are (or could be) affected, disclosure should be the priority. If done right, the relationship between organisations and their customers could be strengthened, even in the midst of such a difficult situation.
Image credit: Pixabay