The White House Knows When Your Clients Should Disclose Security Breaches


Yesterday Target announced a new CIO and a new card processing system to help minimize the impact of last year’s massive security breach.

Many have faulted the company for being behind the news cycle, only acknowledging that a problem existed after others reported it, and gradually increasing the official estimate of how many customers had been affected.

The biggest PR question at the time was “how and when should clients reveal such security weaknesses?”

This week we got a little advice on that front…from The White House.

As The New York Times reported on Monday, White House cybersecurity coordinator Michael Daniel wrote a blog post inspired by the recent “Heartbleed” incident that required everyone to change their passwords (not that we actually did…whoops).

While his post concerns the federal government and cyber terrorists, we think the questions discussed could apply to almost any client whose systems store customers’ personal and financial data:

  • How much is the system in question used directly by the client’s customers?
  • Does the vulnerability, if unpatched, impose a significant risk to those customers?
  • Can it be patched “or otherwise mitigated” at all?
  • How much damage could a third party do to an individual customer via this breach?
  • What is the likelihood of an outsider discovering and reporting the problem before we announce it?

As with the federal government, the issue here is how to balance transparency with releasing information that would not benefit the public/releasing incomplete or misleading data.

While Target’s concerns are very different from those of the Department of Defense and the NSA, we think Daniel gets to the core of the larger issue: news releases should only concern breaches that could directly affect customers, and information should only be released when it can be confirmed and accurately quantified.

What do we think?