Don’t Shoot The Messenger: Things to Consider When Deciding Whether and How to “Message” an Incident

When an organization experiences a data security incident, one of the first questions the organization asks is: Who do we have to notify? This question is often followed with two other ones: What do we have to say? And when do we have to say it? From a legal standpoint, applicable statutes, contracts, and regulations often dictate to the answers to these inquiries. But notification is not limited to a legal inquiry. Business considerations, such as maintaining customer relationships and goodwill, are important but often overlooked when organizations think about notification. This article explores non-legal notification of an incident, its benefits, its risks, and a framework of factors to consider whether to make a non-legal notification at all.

By Sadia Mirza & Kamran Salour^[1]

When an organization experiences a data security incident, the organization likely must make certain, time-sensitive decisions. One such decision is whether to “proactively message the incident” — the act of voluntarily informing internal and external stakeholders of the incident. Whether an organization should proactively message the incident depends on a bevy of factors, some of which will be unique to the specific incident. But there are several factors an organization should generally consider when deciding whether to proactively message the incident.

Before delving into these factors, it is prudent to distinguish proactive messaging from the other categories of messaging that