Data Breach Communications: Your Crisis Checklist

August 14, 2019
By iQ Staff
Digital binary code with the word "HACKED" in bold.

It can happen to any company, and affect virtually anyone. A data breach is all too common an occurrence these days, hitting internet giants like Yahoo, hotel leaders like Marriott and big box retailers like Target. It even struck Equifax, a company consumers turn to for credit monitoring, prompting the largest data breach settlement in history.

When data is compromised, it’s a crisis — the type of crisis that stops everyone in their tracks. Companies must be prepared to communicate or risk severe reputational damage, which may be impossible to repair. Here’s an essential primer on effective communication in the face of a data breach.


Prepare immediate, necessary communications

A data breach is obviously a special type of crisis and mandates thorough preparation beyond a basic crisis communications plan. Your executive and legal teams should be prepared with appropriate plans and precautions to make formal, public disclosures, notify customers, as well as communicate with law enforcement. Any or all of these actions may be immediately required depending on the industry and type of data compromised.


Make proactive statements

While there may be circumstances that prevent companies from communicating proactively about a breach, a public notification is often the best way to help preserve a company’s reputation and possibly contain the crisis by inviting affected customers to closely monitor their credit activity. The communications team must work closely with the legal team, and outside counsel if needed, to understand any federal or state notification laws that might be applicable.


Communications, on several levels, needs to kick into high gear in the face of a data breach.”


Manage misinformation

Whether or not a company chooses to communicate about a data breach, information may find its way into the public domain via well-connected journalists or customers communicating on social media. If you’re not legally restricted, correct the record as quickly as possible and continue to be vigilant monitoring for falsehoods.

This is another reason why a proactive statement right out of the gate, circumstances permitting, may be the best bet. Often the first account of a news item is the one that sticks, and being first goes a long way toward owning the narrative.


Brief trusted reporters

Your communications team likely has at least a handful of trusted journalist contacts that have an interest in disseminating the facts to their readers. It may make sense to spend time with these reporters, even after a public disclosure, to help provide context and details to the story.


Provide ongoing updates

It is important to update the media and the public about post-breach activity when new information becomes available. Rebuild trust by reassuring customers and the marketplace that the security of their information remains a priority. This is the time to activate those legions of social media followers that the communications team has been cultivating. One caveat: these communications should be timed and crafted carefully, so as to avoid creating any additional confusion.

When a data breach occurs, unaffected companies may breathe a sigh of relief and say, “At least it wasn’t us.” Unfortunately, based on the frequency of data breaches — more than 6,500 were reported in 2018 alone — the next breach is likely right around the corner. If it does affect your company, being prepared will go a long way toward communicating effectively with your most important stakeholders.