Data breaches are an ever-increasing issue for businesses large and small. As the incidences of hacking increasingly result in compromised corporate digital security, there are myriad issues for any organization to address.
After a breach has occurred is not the time to create a plan for managing the intrusion. Businesses must have a broadly understood plan in place with clearly defined roles in order to be successful in managing the fallout. One of the critical components is the communication needed for the many constituencies affected by or interested in the breach.
Below are some of the best practices in communication in case of a data breach.
1. Who is in charge?
There needs to be clear understanding of who will handle the communications components of a crisis. A crisis communication team should be established (and serve as a subcommittee of the breach response team. Roles need to be defined, as do the procedures for making decisions on messaging.
2. Take inventory
With the security team, a full inventory needs to be taken and an impact assessment defined. There needs to be a high level of transparency so that members of the crisis communication team know the full scope, any continuing risks and causes as they are known. On-going status updates need to be provided to the C-suite, along with recommendations on responses.
3. Legal obligations
Legal obligations need to be determined and documented, including disclosures to affected parties. Brand impact needs to be assessed from both legal perspectives and the court of public opinion. Such assessments will determine whether there is a proactive or reactive business strategy applied to communications.
4. Find advocates
In a crisis, you need advocates who can speak to your customer base, investors, partners and the media. These may be internal actors such as a CEO or board chair or external analysts, influential customers or even law enforcement. This may be the time when external media relations or PR experts are brought in. Since public opinion can sway quickly, it's essential to have good relationships with local, national and trade journalists across all media.
5. Establish timing and sequencing
Once the scope and responses are determined, there needs to be a clear timetable of messaging, being mindful of news cycles, legal disclosure obligations and follow-up as necessary. What is said at each stage of communication is likely to be different and while nuances are expected, consistency is critical.
A breach is not a one-time incident. It unfolds gradually over hours, days, weeks and months as additional information comes to light. In addition, stolen data is often too hot to use right away, and so thieves may wait out the initial news of the breach before acting on the stolen commodities.
6. Check the plan
It's important to look at the plan on a regular basis to make sure that scenarios are tested, plans make sense, key players are the same, and audiences, brands, and sentiment are incorporated.
Despite the complexities, pressures, and stresses that come with a cybersecurity incident, planning ahead will help bring clarity to the decision-making processes. Without that clarity, there will be significant risks, some legal and some perceptual, that could endanger the brand or the company itself.