At Infosecurity Europe 2019, which brought over 19,000 industry professionals together under one roof, I was honoured to be invited to present to the Leaders’ Lounge on the subject of crisis communications and – more specifically – how to handle the media in the event of a data breach.
Joining me was Steve Hemsley, media trainer and journalist, and between us we managed to reassure the many CEOs, CFOs and CSOs in the room that with good preparation, a process, some clear thinking and a focused spokesperson, crisis comms can be dealt with in the right way.
Following the enforcement of General Data Protection Regulation (GDPR), and with recent high-profile data breaches affecting TSB, Facebook, Equifax and others, the role of crisis communications in limiting reputational damage and strengthening confidence and credibility has never been more important. Most organisations think they’re sufficiently prepared to manage and communicate effectively in the wake of a data breach – but being ready to handle such a crisis requires more groundwork than is often realised. As many brands find out the hard way, an elementary crisis plan and generic messaging are rarely sufficient.
Knowledge is power
While you certainly don’t need to be a legal or forensic IT expert, it’s invaluable to start by developing a base level understanding of what a data breach is – and also what it isn’t. Broadly speaking, there are four different types of breach: internal, limited external, fully external, and external multi-jurisdictional.
Preparation is everything
Next, put together a detailed incident response plan and associated crisis communications plan. Address each type of data breach the business might face, setting out everything you’ll do at the pre-, during- and post-crisis phases. Equip yourself to deal with rumour and conjecture by creating a framework for countering misleading information in the public domain.
Identify the audiences you need to communicate with, including employees, shareholders, stakeholders, the public, partners and the media, and establish what their needs are. Your first priority should be those affected by the breach, and you must communicate clearly and empathetically with them.
Appoint appropriate subject matter experts as spokespeople in every region the business operates in, to avoid issues with timezones, and set up media training so they’re ready to be interviewed.
Finally, roleplay what would happen if a breach occurred, in order to test and rehearse your plans – a bit like a fire drill.
Balance speed with accuracy
Understanding the extent of a breach can take time, yet the need to notify and communicate quickly and openly is pressing. Communicate information as accurately as you can, and avoid making promises and assurances you may not be able to keep. Prepare a holding statement for each audience and keep updating them as you learn more. Never allow a spokesperson to be interviewed unless they’ve been fully briefed on the situation.
Remember the 3Rs
- Show regret – be genuinely sorry, and take a human tone in your apology.
- Show reason – explain what happened, but stick to the facts.
- Show remedy – explain what you’ve put in place to make sure that this doesn’t happen again
Be mindful of ‘business as usual’ activities
Pre-existing marketing messages and communications programmes will need to be adapted, or even suspended, while the breach is handled. Equifax was criticised heavily for wishing customers a ‘Happy Friday’ on Twitter in the midst of its catastrophic breach.
Grasp the learning opportunity
Post-crisis, assess your performance honestly and adapt your response framework to better handle future breaches.
Effective crisis communications is an increasingly essential component of data breach response. It won’t make the problem go away, but bad communications will certainly make it worse. If you prepare comprehensively, communicate with clarity and are willing to learn from the experience you’ll position your organisation well to weather the storm.
