This article by EPSD’s Managing Partner, Nick Selby, EPSD Advisory Board member / Founder and CEO of Discernible Communications, Melanie Ensign, and Chief Data Strategy Officer at Abaxx Technologies, Inc., Michelle Finneran Dennedy, appeared in Law.com’s Expert Opinion section on 1 March 2026. Read the excerpt below, and please click through for the full text.

The lawsuits are coming regardless. Vague communications ensure you’ll face them with an alienated customer base and evidence that they prioritize legal cover over helping victims protect themselves. That’s a costly combination for any brand.

When companies fail to provide clear information about security incidents, they surrender narrative control by hampering victims’ possible countermeasures. Ironically, this abdication of responsibility doesn’t just damage customer relationships; it ends up harming business performance and the legal position you’re trying to protect.

The instinct to stick to specific legal liability and minimize statements to protect the organization is understandable. But when enterprise customers can’t assess the level of actual risk they’re facing, they must assume maximum theoretical risk. This forces them to make conservative business decisions that may directly harm your revenue.

Consider what happened when Salesloft disclosed a security incident affecting its Drift product. The company revealed on its Salesloft+Drift Trust Portal that a threat actor accessed GitHub, downloaded repositories, and obtained OAuth tokens (credentials that let applications act on behalf of users). What Salesloft didn’t disclose was how the attacker initially compromised the account or how customer credentials were stolen.

When companies don’t make explicit and clear statements that help their customers understand the root cause or initial attack vector, customers can struggle to determine whether their own environments were vulnerable to similar compromises. Security teams are left guessing whether, for example, the breach indicated systemic security failures or a one-off incident, like a rogue insider. Vagueness forces customers to scramble into worst-case planning: conducting full security audits of integrations, rotating all credentials that ma y be involved, reviewing access logs for anomalies, and in some cases, restricting or pausing use of the platform entirely — all expensive, disruptive measures that might have been unnecessary with clearer information. Customer legal teams must presume that personal information was likely compromised and begin disclosure planning with limited time to act.

Click here for the full text at Law.com.