Christofer Hoff pointed me to a publication in the Harvard Business Review. The article describes a case study in which a (fictional) company suffers a data breach. The case study really revolves around the proper organizational response and boils down to one question: going public or not.


"Brett, we have a problem. There might be a data breach." Laurie, a tough but polished former Chicago police detective, had been responsible for security at Flayton's for almost three years. She had an impressive record of reducing store thefts while building productive relationships with local schools, community groups, and law enforcement.

"What kind of data breach?" Brett asked. His tone was calm, as always, yet he scanned the lounge to make sure that no one could overhear.

"I'm still not sure," Laurie admitted. "I was contacted by Union Century Bank. They regularly examine their fraudulent accounts for patterns, and we've shown up as a common point of purchase for an above-average number of bad cards. They're getting me more information, but I thought you'd want to know right away. It could be nothing--or it could be significant."


The choice of words, as well as the writing style used in the article makes it a very pleasant and informative read. Put yourself in the hot-seat: disclosure or not? At what price? What is it that your customers expect from you, and how will the respond when that expectation is not met? What about the your other stakeholders?

My first gut-feeling: glad I'm not in public relations :)

In a situation like this, an organization should admit when it is at fault and work hard to regain the trust that its stakeholders have put in it. Keeping it quiet will only work against you and should be avoided. Some information should be made public, but in a joint effort with the banks and (possibly) law enforcement.