What Now? – A PR Plan to Respond to a Data Breach
Nigel Sarbutts – Founder of The PR Cavalry, the platform which matches clients to specialist PR freelancers with no fees. He shares his thoughts on creating a PR plan to respond to a data breach in your business.
I experienced a gut-wrenching moment when I learned that my business had suffered a cybercrime.
In our case, it was our hosting company - a global entity with hundreds of thousands of customers who were the subject of a ransomware attack.
We were lucky, the site was down over a weekend, and we protected the data, but we felt powerless and angry at that time. It could have been much worse.
But what can you do once the breach has happened to protect your business from damaging your credibility with customers, employees and suppliers?
Follow our 7-Step PR Plan to Respond to a Data Breach
Rule One – Stop Being Angry and Get Busy on Your Communications Response
You will feel mad and want to do bad things to the perpetrators. All of this is wasted energy and gets in the way of the urgent task of protecting your credibility with stakeholders - that is what is now at risk.
Rule Two - Decide on Your Disclosure Plan
Are specific stakeholders legally obliged to know about a data breach? Decide who else needs to be told and in what order. Customer data was lost, but not employee data or vice versa?
Managed disclosure is ALWAYS better than a breach being leaked by a third party, so take control of the timing by first working out the order of who needs to be told when.
Rule Three – Establish the What
You have, if not a regulatory duty, at least a moral responsibility to allow the subjects of a data breach to mitigate their risk, so you need to know what data is compromised. It may not be as bad as your initial shock made you think. It could also be worse.
It may be helpful to overestimate the size and scale of the breach. Saying "it's not as bad as we first thought" is a world better than going back and saying it's worse.
Rule Four - Establish the When
Hopefully, you first hear about a breach from internal sources, so you can decide when to communicate it. Don't squander this advantage; doing this earlier puts you in control. Stakeholders deserve to hear it from you, in words of your choosing and coming clean is always to your credit.
Having gained that first-mover advantage, you must maintain it by staying ahead of rumours, even if it means revealing a worse picture than you first understood.
Rule Five - Establish the How
You have three main direct channels where you control the message: email, your website (home page and dedicated page) and social media. Ensure that you have a grid showing that all three are being used in sync and that there are no gaps in timing or contradictory messages.
You have the indirect channel of external media where your message will likely be challenged or reinterpreted. Do not react to negative comments but respond to them where necessary. On social media, reply accurately to harmful comments but avoid emotionally driven words. Anticipate reaction with supplementary information where valid questions are raised.
Rule Six – Establish the Message
Each case is different, but generally.
Accept Responsibility and Apologise - it was your data to protect, even when users ignored advice on password protection.
Avoid Sounding Like You Are Trivialising – your main job is to project trust, not sound like you are covering your backside.
Avoid Blaming the Perpetrators – criminals are wrong. Blame helps no one.
Avoid Shifting the Blame – a third party may be partly or primarily responsible, but it is up to you to avoid that vulnerability.
Keep it Clear – jargon can sound like you are trying to hide behind words.
Rule Seven – Turn Back the Clock
The best time to deal with a data breach is the day after you've planned for one and got all your resources and procedures, and responsibilities mapped out.
If you got the call today, how ready would you be and have your PR team got real crisis management experience?
Are you worried about your current plans?
Talk to us about a Cyber Risk Exposure Assessment; it's closely linked to an industry-standard framework and methodology and assesses risks over three fundamental categories; Basic Controls, Foundational Controls, and Organisational Controls.