At the recent 2017 GreyCastle Cybersecurity Symposium: Generation Cyber, I had the pleasure of presenting the “Top 10 Legal Pitfalls to Avoid in Relation to a Data Breach.”

My pitfall list included:

It was a lively conversation at the symposium, and I barely got through the first few pitfalls on my list, before the conversation took over the presentation.  Clearly, not enough thought is being given to the legal ramifications of a data breach.  I am always surprised by how some skilled and experienced security professionals can lack even a basic understanding of the benefits of the attorney-client privilege in conducting a risk assessment, for example, or the hyper-complexity of cybersecurity regulation in the U.S.

This is not necessarily the fault of the security profession, however.  In many organizations, security professionals are being asked to wear too many hats, including:

Too often, the legal aspects of a data breach are not considered until it is too late.  And these considerations are growing, although they are all too often based on simple common sense.  Case in point, the Uber breach, where it has been reported that certain Uber staff paid the hackers $100,000 to delete the stolen data, to cover up the extent of the breach.

Given this latest debacle, I am adding an eleventh pitfall to my list:

Of course, this pitfall should go without saying.  Uber staff paying off the bad guys to delete the data is like a bank manager paying off the bank robbers to burn the money they stole: it is both pointless and doesn’t erase the fact of the theft.

How to address this kind of panic-driven response in an organization: amnesty.  A data breach is the only situation in which your organization will be the victim of a crime, but treated as a pariah, both publicly and by your regulators.  Keep in mind, despite Uber’s catastrophic failure concerning this breach (which began through compromised credentials to a cloud hosting service), Uber was the victim in the first instance.  It lost any ability to claim victim status when certain of its staff undertook the cover-up to protect their own positions at the expense of the company.  Only by clarifying to every member of your organization, from the board room to the server room, that reporting a breach will never result in employee discipline or losing your position, will an organization hope to combat the kind of self-interest seen with Uber, which can—and in this case will—have catastrophic repercussions.