By Evan Bloom
Data breaches continue to make headlines around the world. Many companies think they are fully prepared to communicate in the wake of a breach. But are they? Is having a basic crisis communications plan enough? Granted, something is better than nothing, but being ready to communicate during a data breach crisis requires much more preparation than a basic crisis plan and some generic messaging.
Communication errors can occur during any of the three stages of data breach communications (Ready, Response and Reassure), and errors often generate the cascade of negative effects that can arise in the wake of a breach. Understanding and preventing these top ten common errors can help stricken companies avoid adding insult to injury when a crisis strikes.
The top 10 errors are:
1. No formal data breach communications plan: as soon as the alarm is raised and the company realizes it has been breached, time becomes a critical asset. The company needs to notify all relevant stakeholders –authorities, partners, customers, any and all entities compromised – as quickly as possible.
With confusion and panic likely, managers should not have to waste valuable time and energy tweaking a generic crisis communications management plan. A formal, scenario-specific data breach plan provides the crisis communications team with the ability to think with clear heads, make good decisions, and communicate with laser-like accuracy.
Scenario-specific plans facilitate precise communications and messaging. Moreover, they increase stakeholders’ faith in the integrity and competence of the company, reducing the potential for the company to be perceived as not knowing what is going on, and mitigating the ever-present risk of both media and clients speculating whether the company can actually manage the crisis.
2. No designated crisis communications team, spokesperson, and key decision maker: the crisis communications team is a key element of successful crisis communications planning. The designated team will be directly involved in and responsible for crisis management and communication during the lifecycle of the data breach. When the crisis communications management team does not have roles and responsibilities assigned before a breach occurs, there is a higher likelihood of confusion, unnecessary error, and wasteful duplication of effort.
The chief spokesperson, ideally the CEO, plays a pivotal role in managing a crisis. He or she is the face of the communications process for the duration of the crisis. Other senior executives can play a valuable role by explaining key aspects of the crisis. For example, a CEO may not have the specific expertise of the CIO, who could explain the technical aspects of the breach in more detail if needed.
Designating the CEO as a spokesperson also indicates that the issue is being taken seriously, making stakeholders feel like efficient remediation is a priority for the company, and that the breach is not being downplayed to save face. Having a single decision maker responsible for analyzing issues and making confident and accurate decisions is crucial to a successful recovery. The ship in crisis needs a captain who can make tough decisions and be respected regardless of the decisions made.
3. Neglecting to test the plan: a plan is of little value if it is not put into action, tested, and exercised. How can a company have confidence in their data breach communications plan if they have not experienced how it works, or do not know if it will work optimally?
A fully-fledged tabletop exercise involves all key internal teams – crisis communications, IT/cyber response, business continuity, customer relations, executive management, call center, legal, HR, etc. All external partners and service providers should be invited and included, such as PR consultants, business continuity and cyber security vendors, lawyers, and insurance providers, among others.
The plan should be worked through until all kinks are smoothed out and errors identified and addressed. Then the updated plan should be sent to all plan holders to be kept in hard and soft copy, with the next tabletop exercise date scheduled.
4. Insufficient technical communication infrastructure: when a breach is discovered, companies need to focus on immediate needs, and not be distracted by having to set up toll free numbers, test lines, call volumes, etc. The specific type of technical infrastructure required depends on the type of company and the nature of the business. This essential planning and infrastructure investment should occur prior to a crisis and include template-based scripting that can be updated based on the specific breach scenario.
It all depends on what a company prefers. Some companies may already have call centers and opt to use their own existing numbers. Some may designate one call center number for day-to-day complaints and queries and another for breach-specific queries. Some companies may outsource their entire call-center management for the breach to third party companies who specialize in these situations. A variety of arrangements can be beneficial, depending on the specific needs of the company—the key is that they be made in advance.
5. Inaccurate information and communication: misstatements and misinformation generate confusion and a loss of faith in the company. Providing accurate information and communication is critical, but this tricky area comes with some challenges. The company needs to communicate quickly and accurately to retain communications control. However, accurate information is not always immediately available.
The cyber response team needs time to conduct a preplanned ‘forensic investigation’ to discover what happened and how it happened so data can be recovered, its integrity determined, and the areas of penetration identified and mitigated, repaired, and/or closed. It can be just as damaging to a company’s reputation to communicate too soon as too late, when the facts are not available and word gets out ahead of formal communication.
Similarly, a company that frequently and unpredictably changes information and messaging can be perceived as ‘chasing its tail’. All core teams, such as cybersecurity and legal teams, must know how to gather appropriate information and brief the crisis communications team. Sound planning involves creating proactive uniform protocols and plans so that communications can be disseminated in unison across all relevant channels via appropriate conduits.
6. Lackluster communication: how a company communicates is just as important as what it says. The tone of communication, including ‘soft’ factors such as empathy, respect, and integrity, will go a long way in retaining brand trust and creating a solid platform for the next phase of communications. Clear communicators never shy away from acknowledging mistakes and apologizing. Some spokespeople may hesitate to apologize due to doubts about liability and responsibility issues; if this is the case, legal advice should be sought so that spokespeople can apologize without hedging, which can damage reputation.
Furthermore, effective communication is a two-way street. Companies cannot simply push out a message and think the job is done. They need to give all recipients a conduit for asking questions and seeking reassurance. Journalists need easy, friendly access to the company spokesperson, vendors need to know they can speak to their senior business contacts, and customers need a telephone number to call so they can speak with a real live person, not simply listen to prerecorded messaging.
For customers and the uninitiated, being the victim of identity theft or losing money as a result of a breach can be traumatic. Customers need reassurance that their interests are safeguarded. Companies should also consider providing specialized training for call center staff and frontline employees to deal with angry or upset customers.
7. Poor timing: one of the most important communication issues is timing — errors can be made by communicating too soon or too late. Data breaches, like most crises, are fluid. Situations change. Predetermined strategies often need to be updated as events unfold. Astute leaders know the value of proper timing. This is why it is highly important to have an actionable communications plan that is ready to go along with a cyber response team who knows how to brief the communications team. These teams need to know what their roles and responsibilities are and have all the policies in place so that when the time is right to disseminate the first press release and letters to customers, they all contain the same accurate, well-worded information.
The first set of press releases and communications and their accuracy sets the communication tone and perception of a company for the duration of the crisis. As we have seen, while rapid communication is critical so the company does not lose control of the scenario in the event of a leak to the media, rapid and informed communications wins the day.
8. Not being up-to-date on regulations: many companies think that if they offer some form of rudimentary communication that they have complied with the law. This is not always the case. Laws provides a set period of time in which to communicate. Federal, state, and local regulations vary across the country, and valuable time can be wasted briefing executives on law when they need to be handling the breach. Currently all but three US states – South Dakota, Alabama, and New Mexico – require breach notifications.
Each state has its own unique communication requirements, and companies can be tripped up if their footprint extends to more than one state. For example, a company could have offices in one state with complex regulations, and one state with no regulations at all. It is prudent to be up-to-date on communications requirements and be prepared to quickly comply to pertinent laws and regulations when a breach strikes.
9. Poorly thought out policies and processes: one pressing question for a company to address following a breach is, “What do we need to do to make our customers feel more secure and know we have their best interests at heart?” For example, should the company offer free credit monitoring? If so, where will it come from, and how and when will the company deliver this service? The company should have the relevant partner on board, ready to deliver credit on short notice. Strong preparation ensures that following a breach, the only task necessary is implementation.
These types of decisions need to be made before a breach so that in the initial communications all relevant information can be provided clearly and professionally, then reinforced and repeated as necessary in all subsequent communication. Making these types of decisions in the heat of a crisis can severely impact communication because the company will be perceived as having no real plan of action in place to help its customer base deal with the crisis. The inability to communicate effectively during this critical time can impact perception, reputation, and even the bottom line.
10. Failure to monitor customer sentiment and the media: once communication is proactively disseminated, how will a company know how the communication was received? The company needs to monitor the social media universe, the media, and, crucially, its call center.
Social media monitoring reveals what customers and others are thinking and saying about the company and its communication and remediation efforts. Gathering this information will shine a light on strategies that need to be modified and help the team hone messaging and follow-up communications.
Monitoring the media at large provides similar but broader information; it identifies journalists who need additional information and insights, and helps the team target and correct inaccurate reporting. Finally, listening and responding to customer complaints and issues received through a call center will identify red flags and help identify potential secondary crises which have a nasty habit of following the primary crisis.
Knowing what can go wrong can help a company avoid the all-too-common errors that can exacerbate negative fallout from an initial data breach. Effective proactive preparation includes avoiding these ten errors and thinking, planning, testing, and training ahead.