Skip to main content
Markkula Center for Applied Ethics

Responding to a Breach

Responding to a Breach

Responding to a Breach

A panel discussion on cybersecurity ethics

Sara Tangdall

On February 15, 2018, the Markkula Center for Applied Ethics’ Business, Internet, and Technology Ethics Programs held back-to-back panels about cybersecurity ethics.  The event was sponsored by the Ethics Center’s Partners in Business Ethics.

Panelists:

  • David Bradbury, Chief Security Officer at Symantec Corporation
  • Beth George, Of Counsel, Privacy & Data Protection at WSGR
  • Carin Kaltschmidt, Principal, Advisory Services, Portfolio & Program Management at EY
  • Steve Sigel, Manager, Incident Command, Data Protection & Privacy Program at Cisco

The panel was moderated by Brian Patrick Green, Director of Technology Ethics at the Markkula Center for Applied Ethics.

The panelists opened by discussing one of the primary ethical dilemmas facing companies:  when to disclose a breach to the public and what information to disclose.  George pointed out that sometimes companies should disclose more than the law requires, but it depends on the breach.  Sigel said companies should keep in mind the potential harm that could happen to the consumer and to employees if the company discloses at the wrong time or provides inaccurate information.  Bradbury said he approaches this dilemma by reminding himself that security is not his role--trust is his role, and he tries to balance being transparent with consumers versus constantly notifying them of breaches.  Ultimately, the panelists agreed that companies have a responsibility to put themselves in the victims’ shoes to help them determine when and what to disclose. 

The panelists also said the biggest way a company botches a breach is by not preparing for it ahead of time.  According to Kaltschmidt, companies can best prepare for a breach by having a well-defined plan that includes a list of third parties who have agreed to be a resource immediately following the discovery and disclosure of a breach.  The plan should also include escalation rules and clearly defined roles; for example, the plan should list who talks to the press and who talks to the board--a clear chain of command for internal and external communications in the event of a breach.  In addition to having a plan, companies should run crisis drills for what to do in the event of a breach.  Overall, the panelists emphasized that making these crucial decisions ahead of time is vital to successfully and ethically managing a breach.

Apr 3, 2018