Exercises: When Things Go Wrong: Breach Response and Crisis Ethics
These exercises progress from concept checks to challenging applications. Estimated completion time: 3-4 hours.
Difficulty Guide: - * Foundational (5-10 min each) - ** Intermediate (10-20 min each) - *** Challenging (20-40 min each) - **** Advanced/Research (40+ min each)
Part A: Conceptual Understanding *
Test your grasp of core concepts from Chapter 30.
A.1. Section 30.1 describes the anatomy of a data breach. Identify and briefly explain the six phases of the incident response framework: preparation, detection, containment, eradication, recovery, and lessons learned.
A.2. Explain the GDPR 72-hour notification rule (Section 30.3.1). Why does Dr. Adeyemi describe the legal notification timeline as "a minimum, not a target"?
A.3. Section 30.4.2 lists five principles of crisis communication: be first, be honest, be specific, be victim-centered, and be continuous. For each, explain in one sentence what failure to follow the principle looks like in practice.
A.4. Distinguish between the legal floor and the ethical floor in breach response (Section 30.5.1). Using the table from that section, identify two examples where ethical obligations exceed legal requirements.
A.5. What is a "blameless postmortem" (Section 30.6.1)? Why does the chapter argue that focusing on systemic failures rather than individual blame produces better outcomes?
A.6. Section 30.6.2 presents a root cause analysis chain. Explain why the root cause of a data breach is "almost never 'a hacker broke in'" and is instead typically an organizational decision.
A.7. Eli asks: "When Equifax exposed my social security number, they offered me one year of free credit monitoring. But my social security number is compromised for life" (Section 30.5.2). Explain the mismatch between the harm and the remedy. What would a proportionate response look like?
Part B: Applied Analysis **
Analyze scenarios, arguments, and real-world situations using concepts from Chapter 30.
B.1. Consider the following breach scenario:
A social media platform discovers that an API vulnerability allowed third-party developers to access user photos that had been uploaded but not posted publicly (draft photos). Approximately 6.8 million users are affected. The vulnerability existed for 12 days before detection. The platform discovers the breach on a Friday evening.
Using the incident response framework from Section 30.1, outline the response actions for each phase. Include specific decisions the company must make in the first 72 hours.
B.2. Section 30.4.3 describes three cases of bad crisis communication: Equifax, Uber, and Yahoo. For each, identify the specific communication failure and explain why it made the breach worse than it needed to be. Then identify a common pattern across all three.
B.3. VitraMed's outside counsel presented two options (Section 30.7.2): immediate notification (Option A) or delayed notification within legal deadlines (Option B). Construct the strongest possible argument for Option B that the legal team might have made. Then explain why Vikram chose Option A despite this argument. Which approach do you think was correct?
B.4. Section 30.5.3 applies care ethics to breach response. Apply care ethics to the following scenario:
A university's student records database is breached, exposing academic records, financial aid information, and disability accommodation data for 12,000 students. Some affected students are undocumented immigrants whose enrollment status could be used against them.
What does a care-ethics-informed response look like? How does it differ from a purely legal compliance response?
B.5. VitraMed's post-incident review identified three root causes (Section 30.7.5): credential management, monitoring gaps, and phishing vulnerability. For each, trace the root cause chain -- moving from the proximate cause through the organizational decisions that enabled it, following the model in Section 30.6.2.
B.6. Section 30.4.2 states: "Being second -- having the breach revealed by a journalist or a regulator -- communicates concealment." Apply this principle to a scenario where a company discovers a breach but believes it may have been contained (no evidence of data exfiltration). Should the company notify? What are the risks of notifying vs. waiting?
Part C: Real-World Application Challenges -*
These exercises ask you to apply breach response and crisis ethics frameworks to complex situations.
C.1. ** Notification Drafting. Draft a breach notification letter for the following scenario: A healthcare billing company discovers that an employee accidentally emailed a spreadsheet containing 3,200 patients' names, dates of birth, and insurance policy numbers to the wrong recipient (a business partner rather than the intended internal recipient). The business partner confirmed receipt but claims to have deleted the email.
Your notification should follow the principles from Section 30.4.2 and VitraMed's notification approach (Section 30.7.4): specific, honest about the cause, actionable, and acknowledging the harm.
C.2. *** Incident Response Plan. Design an incident response plan for a mid-size university (20,000 students) that processes: student academic records, financial aid data, health center records, campus housing applications, and employee HR records. Your plan should cover: - Incident response team composition - Detection and escalation procedures - Containment protocols for different breach types - Notification decision framework (who, when, how) - Communication templates for different audiences (students, parents, media, regulators) - Post-incident review process
C.3. *** Crisis Communication Evaluation. Research a real data breach that occurred within the last three years. Evaluate the organization's communication response against the five principles from Section 30.4.2. Rate the response on each principle (strong, adequate, weak) and explain your rating. Then identify what the organization should have done differently.
C.4. *** Root Cause Analysis. Read the following breach summary and construct a root cause analysis chain (Section 30.6.2):
A retail company's customer database was accessed through a SQL injection vulnerability in the company's e-commerce website. The vulnerability had been identified in a security audit six months earlier. The security team recommended patching but the patch was never applied because it required a four-hour maintenance window, and the VP of Online Sales refused to take the site offline during the holiday shopping season. The security team escalated the issue to the CIO, who agreed to defer the patch until January. The breach occurred in December.
Trace the chain from the proximate cause through at least four levels of "why" to the root cause.
Part D: Synthesis & Critical Thinking ***
These questions require you to integrate multiple concepts and think beyond the material presented.
D.1. Mira's reflection at the end of the chapter captures a tension: the ethics advisory group shaped the response, but the breach should not have happened in the first place. Eli responds: "Ethics programs are only as good as the infrastructure underneath them." Evaluate this statement. Is Eli right? Can an ethics program compensate for infrastructure failures, or is technical infrastructure a prerequisite for ethical practice? Use evidence from Part 5 to support your argument.
D.2. The chapter argues that "the breach itself is damaging; the cover-up is catastrophic" (citing Equifax, Uber, and Yahoo). But some critics argue that immediate notification can cause unnecessary panic, confuse affected individuals, and actually harm breach response by forcing premature disclosure of ongoing investigations. Evaluate both positions. Under what circumstances, if any, is delayed notification ethically justified?
D.3. Section 30.7 presents VitraMed's response as largely exemplary: prompt notification, honest communication, victim-centered approach, systemic improvements. But the breach still caused real harm to 42,000 patients. Does an exemplary response to a breach mitigate the organization's moral responsibility for the breach itself? Or does the response, however good, exist in a separate ethical category from the prevention failure?
D.4. The chapter examines breach response through multiple ethical frameworks: the compliance floor (what the law requires), care ethics (what relationships of trust demand), and the power asymmetry (who decides and who bears the consequences). Apply justice theory (Chapter 6) to breach response. What does a justice-oriented breach response look like? Consider distributive justice (how are the costs of the breach distributed?), procedural justice (are affected individuals treated fairly in the response process?), and restorative justice (are relationships and trust repaired?).
Part E: Research & Extension ****
These are open-ended projects for students seeking deeper engagement.
E.1. Breach Database Analysis. Access the HHS "Wall of Shame" (breach reporting portal for HIPAA-covered entities) or a similar breach database. Analyze the 20 most recent healthcare breaches. Categorize them by: (a) breach type (hacking, unauthorized access, theft, improper disposal, etc.), (b) number of individuals affected, (c) whether notification was within 60 days, and (d) the root cause (if available). Write a 1,000-word analysis identifying patterns and recommending systemic improvements.
E.2. Comparative Breach Response. Select two data breaches from different organizations that affected comparable numbers of individuals. Research each organization's response in detail. Write a 1,500-word comparative analysis evaluating: speed of notification, honesty of communication, support for affected individuals, and systemic improvements implemented. Which organization responded better, and why?
E.3. Crisis Ethics Simulation. Design a tabletop exercise for a data breach crisis. Your exercise should include: a scenario document (the breach details revealed progressively), role cards for participants (CEO, CIO, DPO, legal counsel, communications director, ethics committee chair), decision points at each stage, and a facilitator guide with discussion questions. The exercise should take approximately 90 minutes.
Solutions
Selected solutions are available in appendices/answers-to-selected.md.