In the wake of a major data breach, your brand is exceptionally vulnerable. Some companies become synonymous with their most newsworthy hacks, while others are able to move beyond even the worst incidents with manageable fallout. Where you fall on this spectrum isn’t entirely up to you — some data breaches are inherently newsworthy, and the worst will earn national or global coverage.
What you can do is design a response plan that anticipates and addresses the most common mistakes companies make in response to a data breach. A well crafted, well executed strategy for how you respond to your customers and to the public will go a long way towards mitigating the impact to your brand’s trustworthiness. Our four step methodology is a framework for developing your own data breach incident response plan, and can help you get started in the right frame of mind.
If you’re reading this on the morning of a major data breach, it’s too late. Being organized is the first step of a good incident response plan, but you have to do it before the incident for it to be effective. Like the Boy Scouts of America have said for a century, “Be Prepared.”
What does preparedness look like in the context of responding to a data breach incident? First and foremost, it means have a clear understanding of who will be responsible for communicating with whom. Should the VP of Sales be giving a quote to CNET about what happened? Not if he hasn’t been assigned that role to play in the event of a data breach. It’s equally important to have a clear view of the flow of information internally. Your leadership needs to know what’s going on, and they should hear about it from the right team member — ideally one who can answer their questions.
The way you manage the release of information in the wake of an incident is critical to exerting any control over how your vulnerability and subsequent failure will be perceived publicly. You should establish a clear framework for who should speak publicly, who will communicate with your clients, and what language is appropriate to use when discussing incidents. It’s also prudent to establish limits to how long you should go before issuing a public statement, or if you should issue one at all.
Don’t make these critical decisions in the heat of the moment. Instead, start working on them today.
Before you can effectively develop messaging around a data breach, you and your team have to take the time to understand the impact of the incident on your clients, partners, shareholders, and so on. When you communicate with anyone outside of your organization, it’s critical to think about their perspective on the situation.
What’s important in the context of communicating in the wake of data breach is to ensure your communication is going to be received in the way you hope it will. Put another way, it’s not what you say that matters, but what your audience hears. That means you may have to work on your messaging, or even your entire response, in two phases:
First, get the facts straight. Understand the situation in a way that makes sense to you from within the organization, and how different aspects of your operations may be impacted. Once you’ve got a handle on what happened, step outside your company and into the public’s shoes. What do they want to hear? What do they need to hear, to understand that you’re doing everything you can to rectify the situation?
Once you’ve wrapped your head around the situation from an outside perspective, it’s time to make a statement and start taking back control of your brand’s image.
This one should go without saying, but it’s a step that’s so often overlooked that it bears mentioning here. If your network was breached, and sensitive data was exposed on your watch, you should apologize. It might not have been your company’s fault, but you were in charge of keeping the data safe, so it’s appropriate for you to admit you fell short.
Of course, there are many things to consider when preparing a public statement. Liability is a tricky subject, and any statement you make should be cleared by your legal team. You don’t want to take undue blame, but neither do you want to minimize the impact of the breach on your clients.
Here is where the work you did in the previous step will come into play. Understand what message needs to be heard, and then figure out how you can offer that message while still coloring inside the lines. It can be tricky to hit all the right notes, but your response to a data breach can wipe the tarnish right off your brand or keep you in the headlines for all the wrong reasons.
Once the message is out in the world, it’s time to start in earnest on your post-mortem for the response. While your IT team works diligently to understand how the breach occurred and what they’ll have to do to make sure it never happens again, it’s also valuable to document your public response in detail. What worked, and what didn’t? Did everyone play their parts correctly? Did you hit all the targets on your timeline? How can you do it better next time?
By developing and documenting a framework for evaluating your relative success in responding to a data breach, you can evaluate your performance and make any adjustments to your plan before the next incident. Of course, nobody wants to think there will be a “next incident,” but nobody wanted to believe the first one was going to happen either.
The worst mistake any company can make is not learning from their own mistakes. Every iteration of every process is an opportunity to refine performance and do better next time. Stay positive and think ahead and your brand will be in good hands.