Dave Smolensky, breach, cybersecurity, cyber breach, cyber incident, reputation management, public relations, crisis communications

Never use the “B” word

Why calling a cyber incident a breach too early can create legal, regulatory and reputational damage

When Resolute is first introduced to an organization experiencing a cyber incident, the conversation usually follows a familiar trajectory. Leadership explains the situation and, almost always, uses the same phrase, “We’ve experienced a breach.”

The explanation is understandable. Systems have been disrupted, ransomware may be present or some sort of unauthorized access has been identified. The event is serious and “breach” feels like the right word. But in the early stages of a cyber event, that word comes with consequences that may not yet apply.

One of the first conversations we have usually the importance of choosing the words we and why the “B” word should not be used prematurely.

In cyber incident response, precision in language protects the organization. The word breach triggers legal obligations, regulatory timelines and potential litigation exposure. Using the B word before forensic findings actually support the designation of a breach can create unnecessary legal and reputational complications.

Not every incident is a breach, but every breach begins as an incident

To understand w hy this distinction matters, it is important to first understand the law.

All 50 states have security breach notification laws. Using Illinois as an example, a breach is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information.

In simple terms, a breach occurs when an individual’s name, combined with other sensitive information, such as a social security number, driver’s license number or financial information such as a bank account or credit card number, is considered a breach.

Once a breach involving personal information is confirmed, notification obligations begin. Individuals have to be notified and in larger incidents, regulators such as the Attorney General may also have to be notified as well.

The key word here is confirmed. Once you determine a breach has occurred, the legal notification clock starts ticking and you are likely required to begin implementing actions based on that designation.

Understanding the difference

Cyber Incident = A suspicious or confirmed security event under investigation.

Cyber Breach = Confirmed unauthorized access to regulated data that meets legal notification thresholds.

These distinctions are important and define if and when actions are required.

Reality check – The first days of a cyber incident are not fun

When suspicious activity is first identified, such as ransomware or unauthorized access, what you have is a cyber incident. At this stage, you are likely the victim of a criminal act and like any criminal investigation, facts emerge over time, not instantly.

In the early days of a cyber incident, there are typically more questions than answers, including:

  • Was access actually achieved?
  • Were systems disrupted, or was data accessed?
  • If data was accessed, what type of data?
  • Was anything exfiltrated?
  • If so, was it encrypted, readable or usable?
  • How long did the threat actor have access?
  • What evidence is confirmed versus still being validated?

And in many cases, it takes weeks and sometimes even longer for forensic teams to validate answers through a detailed investigation. Calling something a breach before those answers are confirmed is not transparency, it’s speculation with legal consequences.

Investigations evolve and so do facts

When an organization initiates a cyber investigation, it typically works in coordination with Independent forensic cybersecurity firms, outside legal counsel, cyber insurers if you have coverage, cyber crisis communications professionals and law enforcement. And it’s important to understand cyber investigations are complex. Threat actors do not leave footprints and evidence has to be identified, analyzed, connected and legally reviewed.

As investigations progress, it is normal for initial assumptions to change, scope to narrow or expand, early theories to be disproven and findings to require additional legal validation.

This is why word choice is essential. Responsible incident response relies on confirmed facts, not early indicators, internal speculation or external pressure.

Let’s talk about reputation management

The most difficult part of a cyber event is often not the technical response. It is managing communications while facts are still developing. Executives feel pressure to reassure stakeholders, clients want answers, boards demand clarity and vendors want to know if they are impacted. At the same time, the teams involved in the investigation are pushing to limit information from being released until it has been verified.

Layer on top of that today’s contractual reality many organizations operate under, which include notification provisions requiring notice to be provided within 24 or 48 hours of discovering an “incident” or “breach.” Again word choice is important here. Corporate America is very aware of the difference between the words incident and breach when it comes to cyber events and notification requirements. They choose the word incident to speed up the notification, to prevent companies from delaying notification until a breach is confirmed.

And it’s these contractual provisions that require extremely fast notifications to occur, which create significant risks. The contractual notification provisions which include “incident” wording force initial communications to occur before the scope is even understood or data exposure has even investigated, let alone confirmed.

This is where communications risk escalates and acknowledging an incident too broadly or too definitively can unintentionally trigger additional obligations, expand legal exposure and undermine credibility if facts later change.

Preparation is the key

After years of guiding organizations through cyber incidents, one truth remains consistent, those that manage them well are the ones that prepared in advance.

Put aside all the communications you should have developed for key stakeholders for a moment. Let’s just focus on one element of communications touched upon earlier that you may have to implement just 24 or 48 hours after learning you have been impacted by an incident – contractual notification requirements.

If your organization has contracts which include cyber notification requirements and you do not have a coordinated crisis communications plan in place to address these requirement, you are relying on improvisation under pressure. When the clock is ticking, what seemed straightforward always becomes a complex cross-functional exercise involving legal, IT, security, communications and executive leadership, all trying to determine:

  • What has to be said
  • To who
  • By when
  • And how

And these contractual notification requirement are just one of many communications you need to be prepared for. If you don’t already, you should have a comprehensive crisis communications plan in place that integrates with your technical and operational IRP.

If you haven’t already, take the time now to invest in crisis communications planning, including the development of scenario-specific playbooks, such as ransomware and business e-mail compromise. Preparation does not remove the stress of a cyber event, but it significantly reduces the risk of saying something you later regret.

So when is the “B” word used?

At Resolute, the term breach is used after the investigation supports that conclusion. That means the forensic investigation has progressed to the point where there is confirmed evidence of unauthorized acquisition of regulated personal information. The scope of access or exfiltration has been validated through forensic analysis and legal counsel has assessed applicable state, federal and contractual notification obligations.

At this point the organization has shifted from fact-finding to execution, because once a breach is confirmed, notification timelines are no longer discretionary, they are statutory requirements. At that point, the question is no longer whether the word breach applies. It does.

Why word choice matters in a cyber incident

Cyber incidents are stressful and they move quickly and often unfold under intense internal and external scrutiny. In those moments, leadership feels understandable pressure to act, to reassure stakeholders and to provide certainty.

But during a cyber event, the words used in the first hours and days can either protect the organization or create additional risk. Choosing not to use the word breach early in an investigation is not about minimizing the situation, it is about recognizing the term carries specific legal, regulatory and contractual consequences. Once that word is used, it can trigger notification obligations, regulatory timelines and heightened expectations that may not yet be supported by confirmed facts.

Disciplined language allows an investigation to proceed systematically. It preserves credibility as findings evolve and ensures when definitive statements are made, they are accurate, defensible and aligned with legal requirements.

In cyber incident response, precision is not caution, it is strategy. It supports compliance, it safeguards reputation and ultimately, it protects the organization.

That is why the “B” word is used only when the evidence confirms it applies.