The notification dilemma – what can you tell the public when you don’t yet know the extent of a data security incident?

Useful tips about tuning your disclosure messages…:

In June, BCLP hosted a high profile data breach seminar, in which industry specialists, the ICO’s Head of Investigations, a former convicted hacker and BCLP’s data breach team came together to conduct a mock data breach exercise and discuss issues that arise when firms are hit by a data breach in the current enforcement climate. During the seminar we asked our audience, made up of Execs, CISOs, DPOs, lawyers and other professionals, a number of questions about their own approach to data breaches. Over the coming weeks we will be discussing some of the notable points that arose out of the answers to those questions.

The seminar highlighted the tension inherent in many breaches – what information do you disclose when forced to publicly announce a breach while your investigation is ongoing? One business which recently encountered this dilemma and may face a fine, in part, as result of its decision is British Airways.

On 8 July 2019, British Airways announced that the ICO intended to fine it £183m for breaches of data protection law, following a cyber security incident in August and September 2018.

British Airways stated it was defending itself vigorously following the initial finding and will be making representations to the ICO. When the ICO does publish its final decision, we expect to have a fuller picture of what actually happened, and whether or not the way in which British Airways responded when it first came to know of the breach may have fed into the level of the proposed fine.


The legal (and arguably moral) requirement to tell customers about a problem is paramount, but sometimes an announcement in the moment can be inaccurate, and can either cause concern where none is required, or vice versa. There will also always be a conflicting impetus to minimise negative PR by controlling the message while not disseminating inaccurate information. One practical tip with early announcements and notifications is to avoid being too definitive or specific as to the extent of the impact when the situation is still prone to change.


Read the original article here