Organisations today lack a proper framework that will help them respond quickly when they experience a cybersecurity incident. Governments can help by establishing clear guidelines and protocols, but overly restrictive requirements may discourage companies from disclosing they suffered a breach.
As it is, companies are on edge that they may face litigation from customers when a security incident occurs.
More were moving to keep things under wrap over concerns about class action lawsuits or any other potential legal action, said Forrester’s senior analyst Jess Burn, who specialises in incident response and crisis management as well as security training.
Insurance and attorney-client privilege often got in the way of full transparency from these companies, particularly in North America where the society was perceived to be highly litigious, Burn said in a video interview with ZDNet.
Organisations would disclose what was required by regulators and park everything else under a dedicated contract that ensured investigations, following a breach, were kept under attorney-client privilege, she said.
This meant that any party involved in the investigation could be prevented from disclosing confidential communications between the breached organisation and its lawyers.
Burn observed that lawyers increasingly were involved in any communication that companies