It is always better to be forthcoming and proactive with breach notifications. Having customers hear about a breach from the company in a controlled message is always better than them hearing about it in a sensationalized news article.
This is something I have told countless customers. Unfortunately, when I have said it in the past, I have only had weak anecdotal evidence to back that claim. That just changed.
A research study was recently published at Harvard Business Review that set out to empirically prove this axiom.
They refer to companies self-disclosing early on in the crisis as “stealing thunder”. Their study showed some test subjects fake news articles breaking a story and then fake company press releases reacting, and others saw company press releases disclosing first and then fake news derived from company press releases. The subjects were then asked about the reputation of the fake company. They found that people pay more attention to the negative news when there hasn’t been a disclosure from the company. When details are scarce, people pay more attention to the small nuggets the news media are digging up. A company that provides a glut of detail up front lowers the value of the nuggets in the news, and thus the news reporting becomes less negative and less sensational. The bottom line being that the company’s reputation takes less of a hit when they self-disclose early.
This does not mean the company needs to disclose every detail. There are always aspects of an investigation that need to be kept confidential. Also, details that might change as the investigation progresses, such as number of affected systems or users, could bite the company if they keep changing in every news article. Remember how the number of cards compromised in the Target braeach seemed to grow each week?
But, a carefully crafted message that is thorough without being too detailed can provide enough information to customers and journalists that there is little left for them to spin into a negative news article. The more information the company discloses up front, the more the customers get the impression that the company is in control of the situation.