It's Time to Grade Data Breach Responses

Quick: Think of three recent data breaches, whether in your industry or another. Now: Which of these three organizations responded best to its breach?

Odds are you have no idea—and that’s a problem.

Currently, there is no public scorecard or grading system for data breach responses, which means both consumers and other organizations are left in the dark about many details of the breaches themselves and how well organizations deal with them. For consumers, that’s an especially troubling issue because they need to determine—preferably based on facts rather than rumor or innuendo—whether they should continue to entrust their sensitive data to the breached organization. For peer organizations, such information would be helpful when they go through their own breaches.

Customers Come First: Tools of the Data Breach Trade

Even the breached organization should want to be graded on its breach response. The point of grades—in business as in school—is to provide feedback on current performance, point to areas in need of improvement, and inspire the changes necessary to earn better scores in the future. For organizations that provide detailed, transparent, and thorough breach responses, a high grade would let current and potential customers, as well as regulators, peers, and others, know that the breach has been handled well. For organizations that fail to respond well to a breach, the grade provides the kind of forceful feedback that is often necessary to accelerate change.

The larger data breaches face more scrutiny than most, including detailed analyses that come close to the type of grading system we are advocating. For example, a recent Forrester report, “Quick Take: Lessons For Security And Risk Pros From The Yahoo Breach,” examines Yahoo’s response to its massive breach of at least half a billion user accounts. The report identifies numerous mistakes Yahoo has made in its breach response efforts and provides six lessons to help other security professionals avoid similar errors.

It is not reasonable to expect such deep analyses of every data breach, but in a recent Forbes article, Contrast CEO and co-founder Jeff Williams suggested an alternative—a fairly simple scorecard that would grade organizations on 10 measures:

1. The tone of the breach notification
2. Timeline from initial break-in to disclosure
3. Scope of the data lost or stolen
4. Size of the breach (number of affected people, servers, etc.)
5. The root cause of the breach
6. Discovery details (who noticed it, and why wasn’t it noticed sooner?)
7. The remedy offered to victims
8. Future prevention efforts (what is being done to prevent future attacks?)
9. Blame (is the organization accepting responsibility or pointing to others?)
10. Oddities in the breach and response (is there anything about the timeline or other details that don’t add up?)

If your organization has suffered a breach recently, it is worth considering how you might grade yourself on the scorecard Williams suggested. We’ve written before about many of the items on his list, including the first one about breach notifications—and specifically how to make breach notification letters more effective.

While having organizations grade themselves in this way would be a start, what is really needed is an independent scorecard from an outside agency. The Forbes article suggests that CERT, a division of the Software Engineering Institute that studies problems in cybersecurity, might be a good candidate for the job. Other organizations such as the Consumer Federation of America might also be worth considering—depending on whether the scorecard would offer grades from the point of view of consumers, regulators, the media, or a combination thereof.

We may not see a breach response scorecard for months or years. In the meantime, organizations should at the very least conduct their own comprehensive postmortems to evaluate how well they have responded to past breaches. If you do not earn an A, examine the reasons and take steps to improve your grade. Given the frequency and severity of breaches, one thing we know for sure is that there will be another data breach—and consumers will be grading your response, whether you like it or not.

Customers Come First: Tools of the Data Breach Trade