Lessons in crisis comms: Responding to a data breach

As organisations prepare for the General Data Protection Regulation (GDPR), and with recent high-profile data breaches affecting TSB, Facebook, Equifax and others, the importance of crisis communications in limiting reputational damage and instilling confidence and credibility has never been more critical. Most organisations think they are sufficiently prepared to manage and communicate effectively in the wake of data breach. But are they? How confident should organisations be in the efficacy of their current crisis preparations? Being ready to handle data breach crises requires deeper preparation than is often realized. As many brands find out, an elementary crisis plan and generic messaging is rarely sufficient.

On Thursday I attended ‘Holding Back the Flood’, a Midtown Business Club seminar panel debate, focused on how to identify, prevent and manage data breach from a legal and PR perspective. My colleague Peter Barrett, Associate Director and crisis communications specialist at Infinite Global, spoke at the event, alongside members of law firm Lewis Silkin’s Data and Privacy Practice Group.

The mentality of “let’s cross our fingers and pray for the best” is dangerous for any business scrambling to put together a crisis communications response while also dealing with the incident or issues thereafter. How a business responds is paramount in protecting reputation among your customers, employees and other key audiences.

Effective crisis communications is an essential component of data breach response. So, what are the key takeaways according to Peter Barrett at Infinite Global?

• Fail to prepare, prepare to fail. Preparation is everything and you must plan your breach response at the pre-, during- and post-crisis phases
• Prepare an incident response plan and associated crisis communications plan, ensuring the appropriate subject matter experts are at hand
• Practice, practice, practice – Scenario plan, simulate and wargame until you’re fully prepared
• Collaborate with partner organisations to learn holistically. You needn’t be a legal or forensic IT expert, but it is invaluable to develop a base level understanding of what data breach is – and what it isn’t
• When communicating post-breach, balance speed of response with accuracy of information. Understanding the extent of a breach can take time, yet the need to notify and communicate openly and quickly is pressing. Communicate as accurately as you can and avoid making promises and assurances you may not be able to keep
• Do not overlook ‘business as usual’ activities. Pre-existing marketing messages and communications programmes need to be adapted (or suspended) while the breach is handled Equifax was criticized heavily for wishing customers a ‘Happy Friday’ on Twitter in the midst of their catastrophic breach
• Address rumour and conjecture. Create a framework for countering misleading information in the public domain
• Focus on key audiences. Those affected by the breach are your primary responsibility and you must communicate clearly and empathetically with them
• Remember media handling 101. Don’t field your CEO into broadcast interviews if they are not fully briefed
• Grasp the learning opportunity: post-crisis, assess your performance honestly and adapt your response framework to better handle future breaches

Effective communications post-breach won’t make the problem go away, but bad communications will certainly make the problem worse. In short, prepare comprehensively, communicate with clarity, learn from the experience and adapt your response framework to better handle future breaches.

If you would like to find out more about how Infinite Global could help you prepare for and handle data breach, please contact Peter Barrett on peterb@infiniteglobal.com / 0207 269 1433.

Kajal Shah is a Senior Account Manager working across the property, legal and technology sectors.