Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

September 5, 2016

How To: Communicate after a data breach

Linda Varrell
By Linda Varrell

While companies tend to have disaster recovery plans that emphasize restoring critical systems, communication plans are too often ignored until after a data breach. An oversight of this kind at the time of a breach can have a lasting negative impact to the organization's reputation and potentially exacerbate the financial consequences.

In the event of a data breach, the following points will help in communication with key stakeholders:

  • Have a written, tested crisis communications plan: The plan should contain everything the company will need in the event of a breach, from what to do when a breach has been identified, to the final communication once the incident has been fully addressed. It should cover communications to all stakeholders, including sample text that has already been reviewed by compliance and legal advisors so that during the crisis they can be edited and used quickly.
  • Appoint an incidence response team: The team needs to include internal employees and outside contacts, all of whom will be available at short notice, can contribute to the subject matter and have the required communication skills. Some suggestions include executives; IT; legal; PR/communications/marketing; HR; finance; compliance; security officers; customer service. Externally, you could reach out to a PR firm; law enforcement; regulators; an expert in data security; a search firm.
  • Understand regulatory notification requirements: With breaches of certain types of information, including personally identifying information (Social Security number, health records, etc.), strict rules exist around communication, including who you have to communicate to, in what time frame and in what format. And, since each state has different requirements, seek out legal advice to make sure you are in compliance with both state and federal laws.
  • Manage customer expectations: A 2014 Pew Research Center study showed 91% of American adults feel that consumers have lost control over how personal information is collected and used by companies. Communicating in a timely and clear manner, stressing appropriate urgency, and providing remediation and credit monitoring services free of charge will all help companies do right by their customers.
  • Manage employee communication: All employees, especially staff who interact with customers, should be kept informed. Clients will call their contacts for updates. Employees need to know when callers should be forwarded to a central hub, and should also be given scripts with a summary and approved comments.
  • Write with clarity: The most important aspect of crisis communication, especially in a breach situation, is transparency. Stick to the facts of what happened. Avoid jargon, buzzwords, embellishment and minimizing language. Take responsibility and apologize. Write at a 6th grade level. Provide contacts for further assistance and explain the steps your company is taking to keep it from happening again.
  • Monitor: Vigilantly monitor for all news and comments about your company, keeping an eye out for inaccurate or sensationalized public commentary to provide a timely correction. Monitor social media sites and use search engine alerts. Ask employees to listen for and track competitors, industry and key customer comments.
  • Use the web: In addition to direct communications, a website update page should show current information. This helps both internal and external resources to stay informed.
  • Prepare post mortem: The effects of a data breach can be long-lasting, far-reaching and sometimes difficult to discern over time. As the incident winds down, assess the plan's effectiveness and discuss impact and feedback from customers. Analyze media coverage and identify potential long-lasting risks. Finally, adjust the plan with lessons you've learn in case something happens again.

In the end, the planning effort is often as valuable as the plans themselves.

Linda Varrell, president of Broadreach Public Relations in Portland, can be reached at lindav@broadreachpr.com

Read more

Protect sensitive data used by third-party vendors

Bangor Savings replacing cards following data breach

Health Access Network employee fired over data breach

Sign up for Enews

Most Recent

Most Recent

Comments

Order a PDF