A data breach can do serious damage to a company's reputation and can influence customer loyalty. Small businesses are particularly vulnerable to the devastating effects of data breaches.
The potentially enormous scope of a data breach, the fact that it may have occurred long before it was discovered, and the invisibility of most repair efforts—remember, increased data security can't be "seen" by customers—all lead to a unique challenge in communicating a data breach. Here are some best practices to create a crisis communication plan that will help keep your company prepared.
Designate a Crisis Response Team
The ideal team includes:
- Representatives from key company stakeholder groups
- Legal counsel
- IT experts
- Communications and public relations experts
All crisis response team members should be trained in the laws and regulations surrounding data breach reporting.
Plan Your Internal Communications
First, determine who inside the organization should be notified and what he or she needs to know. Consult legal counsel before issuing any internal communications, and document the timing of anything that is approved and released.
Designate External Points of Contact
Next, decide which team members will be responsible for communicating with different outside groups. For example, your social media manager might answer questions via Twitter or Facebook, while your chief financial officer would be more qualified to contact shareholders.
Create Legal Notification Procedures
All but three U.S. states require companies to notify customers of data thefts. Work with legal counsel to make sure your breach communications satisfy all applicable laws and regulations.
Create Communications Templates
Your company should have rough templates of emails, social media posts, and letters to stakeholder groups ready to go. Well-crafted communications should:
- Clearly say what you know and don't know about the breach
- Explain how the company is fixing the problem
- Offer concrete advice for customers to protect themselves
- Point customers to additional resources and information
- Be simple and concise
- Above all, express empathy
Create Communication Guidelines for News and Social Media
Follow your crisis communication plan. Improvise only when absolutely necessary; off‐the‐cuff comments made under stress are risky, and often counter-productive.
Get the Word Out
Message timing is critical to your credibility; it's better to break your own bad news before someone else does.
- Break as much as you can in a single news cycle, and continue to provide regular updates
- Avoid statements like "no comment," which can give the impression of guilt or negligence
- Using communications templates, reach out via multiple channels to all relevant audiences
- Bring in highly credible independent sources early on who can reinforce your messaging
Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy.