How NOT To Notify Your Victims About That Pesky Data Breach

Bad Privacy Blog by Claudiu Popa
2 min readApr 27, 2021

3 Cardinal Rules to Follow When Avoiding Responsibility for Cybersecurity Incidents.

First and foremost, let it age for a month after discovery. It is important to appreciate that data breaches get better with age, so give it time before you get around to pen some well turned phrases.

That was a bonus tip. It almost goes without saying that the sooner you let people know you dropped the ball on their data, the sooner they’ll panic. Be kind and let them have a few weeks to savour their false sense of privacy.

1. Keep’em guessing. Never mention which product, company or website was hacked. Address victims only in vague, superficial terms and be sure to tell them you’re working diligently on their behalf, even though you just compromised their children’s personally identifiable information.

2. Avoid mentioning the impact of your stolen data in criminal hands. Just because your information can be used to open bank accounts and sign up for utilities and cell phone plans, there is no reason to alarm people after cybercriminals have taken possession of their data. You never know, they may decide to hand it right back out of the goodness of their hearts.

3. Placate your victims with false assurances. Push the illusion of security as far as it will go and whatever you do, avoid taking responsibility for the breach that was entirely due to your negligence. People love to be lulled into a peaceful delusion.

Finally, don’t let them sit on their laurels. It’s bad enough that you’ve been inconvenienced into having to affix your name to a letter. Put those victims to work and impose arbitrary constraints. It’s as easy as A, B, C:

a. Tell them not to call after 4:30 because identity theft be damned, you need your beauty sleep.

b. Let them fight with the credit bureaus, because after all it’s a great learning opportunity for them to discover that under Canadian law, they have negligible protection from unauthorized transactions.

c. Reiterate that you are committed to protecting their information, implying that it’s now time for them to do their part, especially since they now have their work cut out for them after you allowed hackers to help themselves to their data.

Wish them luck! They’ll need it!

--

--

Bad Privacy Blog by Claudiu Popa
Bad Privacy Blog by Claudiu Popa

Written by Bad Privacy Blog by Claudiu Popa

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, written & edited by Claudiu Popa; author, educator, booknerd.