Bob Lord šŸ” Dec 26, 2022

"There is no evidence that any unencrypted credit card data was accessed."

This phrase is infuriating for a few reasons. First, it plays to, and reinforces, the false notion that credit card data is the thing you need to worry about in a breach. It is not.

Second, it relies on the phrase "no evidence". An absence of evidence is not evidence of absence.

The authors of these statements know both of those things. If they spent as much time securing their systems as they did crafting subtly deceptive blog posts, we'd all be better off.

Show threadDan GoodinDec 27, 2022
@boblord This comment comes up after just about every breach disclosure. I am curious: what does a company say or do when an investigation is ongoing but so far has not come across any sign of credit card access? Consumers and reporters, inevitably ask about cc aces, so itā€™s not really an option to simply say nothing. How can a company prove a negative anyway? They can either say it was accessed or they have no indication it was accessed . What more can a breach victim say?
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord saying there is no evidence something was taken without disclosing there is no evidence something was not taken is a bit dissinginuious.
Show threadGabe The EngineerDec 27, 2022
@dangoodin @boblord I believe there's a Relevant Sagan quote, ā€œAbsence of Evidence does not mean Evidence of Absenceā€.
Show threadDan GoodinDec 27, 2022
@gdbassett @boblord if youā€™re not going to answer my question about the wording, I donā€™t think thereā€™s much more for us to discuss.
Show threadmelanie ensign (she/her)Dec 27, 2022
@dangoodin @gdbassett @boblord having written more incident response statements than most CISOs at this point in my career, I find a common pitfall is expecting a single statement to address the concerns of all stakeholders. What works for infosec doesnā€™t work for everyone.
Good IR comms is an orchestrated symphony of tailored comms that answer different questions for each audience. These various communications align, but theyā€™re not identical.
Show threadBob Lord šŸ” Dec 27, 2022

@Wednesday @dangoodin @gdbassett

Great point and very true. I still think we can get better at this.

Show threadmelanie ensign (she/her)Dec 27, 2022
@boblord @dangoodin @gdbassett I agree & cited your 2015 point about ā€œlack of evidenceā€ in a blog post a few weeks ago: https://discernibleinc.com/blog/remove-these-cardinal-sins-from-your-data-breach-statementsnbsp
As a comms pro, I believe we fail when we treat security comms as crisis comms rather than a proactive never-ending dialogue with stakeholders about ongoing risk. Donā€™t treat incidents as something that will eventually ā€œbe over.ā€
Scrub these Phrases from Your Data Breach Statements  ā€” Discernible Inc

In the event of a security incident, it's critical that your response is both fast and accurate. Unfortunately, many organizations make the mistake of including one or more of the following three elements in their public statements, which impairs the credibility and trustworthiness of their response

Discernible Inc
Show threadBob Lord šŸ” 
@Wednesday @dangoodin @gdbassett That last point is the most important. Internally, there is pressure to get back to normal, rather than to establish that "never-ending dialog" about risk. Maybe we can get you to deliver a TED talk on fixing that problem!
Dec 27, 2022 at 4:53amWeb
Show threadmelanie ensign (she/her)Dec 27, 2022
@boblord @dangoodin @gdbassett the underlying problem is that Comms pros are promoted for ā€œmanagingā€ crisis rather than preventing it.
In my experience, IR comms only becomes crisis comms if you fuck it up. I donā€™t want my clients to panic & that puts me at odds with most of my profession.