When my team said they wanted to cover this topic, the very first words out of my mouth were that I fervently urge organizations to take their security and compliance stance seriously so they’re less likely to become a statistic in the first place. But, setting that aside, let’s get into it.
We’ve all seen companies that issue public statements about how important security and customer privacy is to them — all while trying to explain why they had a data breach of their customers’ sensitive information.
It usually rings hollow. Especially if, like some companies, this isn’t your first breach.
But what if you really do take security and compliance seriously, and you’ve still suffered a data breach? It does happen. In that case, you’re in the unfortunate position to have to make a public statement about your data breach and reassure your customers and partners that you take security seriously.
But there’s a right way to do it and plenty of wrong ways.
What’s at Stake
I can’t stress enough how critical it is to get your communication right, from the first moment. And it isn’t just your communication to news channels and customers — it’s also internal communications as well as every kind of external communication. Your reputation and your company’s future depend on getting it right.
Your name just went up in lights, your phone is now ringing off the hook. Not only is your existing client base demanding to know the impacts to them, you also have a battalion of people on the outside wanting to know exactly what’s going on as the word quickly spreads.
It’s very difficult to navigate these waters and remain in business. In fact, most small businesses don’t survive a data breach. So, mastering communication on every front isn’t just important, it’s absolutely essential.
Be Prepared Ahead of Time
Most companies that get breached aren’t prepared to handle the fallout. Even organizations that take security seriously. That’s why it’s important to know ahead of time what you’ll do if your company gets hit by a bad actor.
Have a plan in place that has been reviewed by security experts, train on that plan, exercise that plan, and communicate that plan throughout your organization. Every employee should know the plan exists and know how to reference it at a moment’s notice.
Walk through your plan as part of your security awareness training and include it in your new hire onboarding process — every single member of your team will be part of the solution if called to arms.
Related: Will Your Cyber Liability Insurance Really Cover You?
Rely on Your Team of Experts
You’ll need a good team of people around you who can give wise directional guidance based on experience about what to say and how to say it. Make sure you’re leveraging the guidance from your team of experts regarding how to proceed.
The moment you discover you’ve been breached isn’t the time to start searching for lawyers or finding a cyber forensics expert. It’s a hell of a lot easier to have a hit list of people in your back pocket. Your response team should include the following experts:
- Legal counsel
- Cyber forensics
- Secure coding experts
- Penetration testing experts
- Networking experts
- Consultants and Assessors that are experienced with the security and compliance requirements your organization is subject to
One note about your legal counsel: don’t merely assume your current legal team understands data breach issues. Make sure they do. This is a niche area that requires special expertise. You also want to make sure your legal team is intimately familiar with your organization, business, and existing legal agreements. Again, this isn’t the time to start working on planetary alignment.
Communicate with Customers
With direction from your legal experts, provide clear communication to your customers, vendors, and partners about what occurred. Communicate how it occurred and what changes have been made. Include details about the overall program and the additional safeguards that are now being implemented.
If you have a robust program in place, you already have client-facing assets that you can leverage to distribute materials to customers and partners. Any organization can have a problem, but it’s a lot easier to do cleanup with customers if they can see that you’re already doing your due diligence — you just happened to get unlucky.
Be Transparent About Your Data Breach
Your customers — and the general public — will naturally be skeptical about any public statement you make about a data breach. Trust has been broken, and your next steps will determine whether you can win that trust back or not. Any sign that you aren’t being transparent or truthful will make things markedly worse.
Be open and honest when communicating about the issue. Explain what happened, how it happened, and how you’re making course corrections. Remember: leverage the advice of your legal experts, but do your best not to equivocate, shift the blame needlessly, or evade questions. Acknowledge the impact of the breach on your customers and be accountable.
Don’t Be Too Transparent
At the same time, every detail you provide to the public could be a liability to your organization. You need to communicate effectively with those who depend on you, but you also need to protect your company.
Don’t be too transparent too early, and don’t say anything without the guidance of an expert. Before you make any kind of statement, you’ll need to get your arms around the extent of the issue and understand exactly what happened, and to whose data. Understand the material impacts and form a plan of remediation.
When you know those details first, you can start making sensible decisions about your communication plan.
Consolidate Your Communication
What happens when the news breaks on Twitter at 9:30 a.m. and your sales people are on the phone with a prospect? How will your front desk admin field the flood of phone calls? How will help desk people handle questions on chat support?
All these people are actively fielding questions from customers, prospects, and partners. Customers aren’t coming to your legal team or your CIO — they’re going to their own points of contact within the organization.
When news breaks, it will be critical to control the narrative and the talking points. The more voices you have in the conversation, the less control you maintain.
Immediately instruct your internal personnel about how to direct inquiries from customers and other parties. Give them a script to use when someone asks questions. Have them redirect inquiries to a central point that’s authorized to field questions.
Controlling that narrative is important for a couple reasons: first, it gives you control of the messaging. Second, you don’t want people saying too much too early, because you need to finalize the investigation and understand the impacts.
Also, when you redirect all inquiries to a central point of contact, you can maintain a list of all the people who are asking questions and what they’re asking about. Once you’ve validated the information, you can reach back out to them and provide accurate answers. This will go a long way to bettering communication during and after the storm.
Don’t Cross Your Fingers
Any organization can encounter a problem — even if you’re doing your due diligence — but it’s a hell of a lot easier to react quickly if you’re already prepared. Don’t wait for a data breach to happen, start putting puzzle pieces in place now.
Need help navigating the security and compliance waters? TCT can advise you and provide references to trusted partners. We’ll help you prepare with confidence.
Get equipped with insider expertise
Subscribe to the TCT blog
