Communications best practices when responding to a data breach

If the increase in headlines has taught us anything, it is that businesses should assume that at some point they will be on the receiving end of a cyberattack or data breach, and they must plan their crisis communications strategies accordingly.

According to 2018 data released by the Identity Theft Resource Center, the number of US data breach incidents as of Sept. 5 comes to 864, with more than 34 million records exposed. This follows on the heels of a new record high of 1,579 data breaches in 2017. This March, Facebook announced how the political data firm Cambridge Analytica collected personal information of 50 million Facebook users, though that number has since swelled to 87 million (and is likely much more). But this was just the tip of the iceberg, with breaches also being announced involving organizations such as Yahoo, Uber, Panera, Under Armour and even the NSA.

As a leading crisis communications firm, we are proponents of proactive planning for crises — such as data breaches — with an eye toward minimizing the response time when an incident hits. In a previous post, we laid out the four key steps to developing a crisis communications plan. With that in hand you’ll be well-situated to maintain control of the story and minimize any reputational damage through the following steps:

1. Activate your crisis communications team

The first step is to get your crisis communications team on the same page. Immediately after becoming aware of the breach, the designated director of crisis communications will notify the appropriate team members and schedule a meeting. Contact information should be at hand and a designated conference bridge should be in an easily accessible place so all team members can convene as soon as they are contacted.

Your initial team meeting should address the following:

1. Brief the team on the situation.
2. Present existing media coverage.
3. Identify impacted internal and external audiences.
4. Discuss appropriate spokespeople.
5. Establish next steps.

While the specific response will evolve as the crisis unfolds, develop an initial strategy that can be implemented immediately. Draft holding statements for internal audiences, and determine how and when they should be deployed. Then, develop your prerequisites for releasing an external statement, factoring in your state’s security breach notification requirements, and ensure each crisis communications team member is aware of his or her role.

2. Assess the data breach

Once the team is briefed and the initial communications strategy is in place, take a step back and assess the situation. Evaluate and gather all available information about the incident. Use every resource you have in this process, including, but not limited to, your IT team, legal counsel, the operations team, and outside vendors, which may include a forensics team, cyber insurance provider and crisis communications firm. Determine the size and scope of the breach, whether it is ongoing or contained, and which facts are fixed versus fluid.

3. Build a comprehensive communications strategy

The information you’ve compiled at this point will help lay the groundwork for a comprehensive crisis communications strategy and show the team where there are still gaps.

First, identify your overall communications goals, potential obstacles and mitigating factors, specific communications channels and the appropriate methodologies. Think about what your audiences need to hear, as well as what channels they should be contacted through, and create a policy for media engagement.

Develop a timeline that instructs the team on when internal audiences will be updated and confirms your prerequisites for making an external statement.

Finally, use the information you’ve compiled to draft messaging for all impacted audiences, with input from appropriate team members and approval from legal counsel. Develop a list of talking points and FAQs that can be referenced by spokespeople and department heads.

4. Execute the strategy

Once the strategy is in place, it should be quickly socialized and implemented. Equip spokespeople and management with appropriate statements and messaging, instructions on interacting with their audiences (including staff members), and your policy for media engagement. Create a web page for hosting external messaging, monitor social media and keep a close eye on the news.

Announce the breach internally and, in accordance with your timeline, determine when you will update these audiences and what a resolution looks like. If deemed appropriate, announce the breach externally and monitor media engagement closely.

Remain in regular contact with the team to keep them updated on how the forensics investigation, media engagement and audience response are evolving.

5. Review the team’s response

While this step may be a bit further on down the road, it’s a crucially important one. Once the crisis has wrapped up, use the opportunity to look back at your process, document the exact steps taken throughout the incident, record any challenges or surprises that occurred, detail how they were overcome, and assess what changes could be made moving forward.

Brian Van Note is a Client Supervisor in the San Francisco office of Infinite Global. He develops unique and personalized storylines to secure placements for his clients in the publications that matter most to their businesses, and to position them as thought leaders within their respective industries. 

To learn more about data breach response and crisis communications preparation services, we encourage you to sign up for our quarterly newsletter, or reach out directly to our team.