• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer
nNovation LLP

nNovation LLP

Small Canadian regulatory law firm with a big presence

  • Home
  • About Us
  • Our Team
    • Kim D.G. Alexander-Cook
    • Timothy M. Banks
    • Shaun Brown
    • Anne-Marie Hayden
    • Constantine Karbaliotis
    • Kris Klein
    • Dustin Moores
    • Florence So
  • Blog

Posted By: Anne-Marie Hayden January 7, 2022Category: Privacy Breach

10 crisis communications tips for privacy breaches

Privacy breaches are happening all the time and they can have dire consequences. When (not if) you experience a breach, the stakeholder trust that’s been built in your organization is on the line.

How you handle the breach can affect how you maintain and, if necessary, rebuild that trust. How you communicate when there’s a breach is an important part of that equation.

Here, I wanted to share a few communications tips to help plan for and address breaches a little more smoothly.

1. Recognize breach risks in risk planning

Many organizations have corporate risk profiles. They help to identify, understand and mitigate a wide range of risks and to address issues effectively when they do arise. These days, if your risk profile doesn’t include a breach as a possible risk, something’s missing. Once a breach is identified as a risk, the mitigating strategies include things like tightening up security safeguards, developing a breach response plan and complementing that plan with a strategy for communications.

2. Include comms in the crisis planning and response

Every organization should identify, establish and train its crisis planning and response team – before something happens. Each member’s role and responsibilities should be made clear. Since most crises include some form of communication, make sure to include a communications specialist in this group.  

3. Prepare a crisis comms strategy

With most breaches, time is not on your side. Having certain things ready in advance can be a real lifesaver. Given this, the breach response plan should have a crisis communications strategy baked right into it. A comms strategy includes things like objectives, target audiences, messages and tactics. The strategy should contemplate potential scenarios and should include some pre-drafted processes, messages, checklists and templates.

4. Determine your overall breach response goal

Each crisis has unique attributes and it’s difficult to plan for every possible scenario or question. So, when a crisis does hit, it’s helpful to take a moment to determine your organization’s goal in dealing with the incident, in light of its corporate values. What will success look like at the end of it? Making sure the goal you establish is clear, brief, succinct and understood will help everyone involved to focus the limited resources and efforts, as well as the communications tactics. It will also help you answer questions that come up, because you’ll measure the answer against whether it will help you achieve that goal.

5. Identify and understand your audiences

There are often many different stakeholders to consider in the event of a breach – customers, investors, media, regulators, even police, to name a few. Each one needs to be considered carefully, as they may require different types of information, there are likely legal considerations in dealing with each one, and there may also be requirements and preferences insofar as preferred and most effective communications channels

6. Don’t forget your staff

This one deserves its own bullet because unfortunately, sometimes, organizations are so focused on their external audiences that they forget their internal ones, which are so vital to maintaining stability and operations in the face of a crisis. Make sure staff are included in your list of audiences in the communications strategy. Ideally, once you know an incident like a privacy breach has occurred in your organization, your staff hear about it from you instead of from the media.

7. Balance the risks of a media response

Speaking of media, how do you manage media effectively in the event of a breach?

Certainly, don’t speak to the media about a breach before your response team is activated and involved, so that legal and other issues can be addressed, and before you have certain basic facts straight. Remember, though, that the news cycle moves quickly and that waiting too long on a media decision can put you in a defensive light. Not all breaches need to be shared proactively with the media – in many cases that would be overkill. That being said, in the right circumstances, a media request from an established outlet or even a proactive media announcement and briefing about an incident can be an opportunity to be heard, to deliver your key messages and to demonstrate openness and transparency early on.

8. Have clear, consistent messaging

I noted earlier that different audiences might require different information, depending on who they are, the impact of the breach on them and their relationship with your organization. The main messages must, however, be very consistent across the board. Regulatory required notices and reports need to include all the legally mandated points, but your other communications shouldn’t be drafted in legalese. Consider focusing your communications on the 5 Ws and keeping the language simple and straightforward. Also keep in mind that most people have limited numeracy skills, so pay special attention to the way you present numbers, to reduce the possibility of confusion.

9. Assess and integrate post-breach comms

Your organization’s reputation might take a hit, in the moment, when a breach occurs. But a breach story doesn’t need to define your company. Think about the goal established at the outset and make sure that your breach response plan and the accompanying communications strategy consider both the shorter and longer term. Undertake a post-mortem and, as part of the process, explore and implement communications tactics that are going to help you move beyond surviving the breach to thriving post-breach. Remember that in this era of frequent privacy breaches, demonstrating resilience in how your organization handled a breach can go a long way toward maintaining or rebuilding that hard-earned trust.

10. Practise, practise, practise

While there’s some debate on the merits of the 10,000 hours rule – the one that says you can be good at anything if you just put in the time – there’s no question you’ll be in a better position if you dedicate time reducing breach risks and planning for them. So, remember to practise, practise, practise. And with all the right people at the table. Too often, tabletop exercises are limited to the IT and legal folks. But we urge you to invite comms pros to the tabletops and practise sessions too, to work through the crisis and breach response plans, strategies, scenarios and prep materials with these colleagues. You’ll be glad you did!

Share this article:

Previous Post Federal Court Rules in Favour of OPC in Google Reference
Next Post Maturing the Privacy Impact Assessment

Related Posts

February16

Limitation of liability in B2B contracts valid under Quebec civil law

January28

Maturing the Privacy Impact Assessment

July19Google Building Logo

Federal Court Rules in Favour of OPC in Google Reference

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Adequacy
  • CASL
  • Class Actions
  • Communications
  • Competition Act
  • Genetic Privacy
  • IT Contracts
  • Legislation
  • Ontario
  • PIPEDA
  • Privacy
  • Privacy Breach
  • Privacy Commissioner of Canada
  • Privacy Impact Assessment
  • Privacy Reform
  • Privacy Shield
  • Quebec
  • Right to be forgotten
  • Smart Cities
  • Supreme Court
  • Transborder Data Flows
  • Uncategorized

Recent Posts

Limitation of liability in B2B contracts valid under Quebec civil law

February 16, 2022

Maturing the Privacy Impact Assessment

January 28, 2022

10 crisis communications tips for privacy breaches

January 7, 2022

Tag Cloud

Access to Information Act CASL Class Actions CompuFinder Constitutionality CRTC Cybersecurity Equifax data breach Federal Court of Appeal google National Security OPC Consultation PIPEDA Privacy Privacy Commissioner of Canada Smart Cities spam Transborder Data Flows

Footer

EXPERT LEGAL SERVICES

135 Laurier Avenue West, Suite 100 Ottawa Ontario K1P 5J2
  • Home
  • About Us
  • Our Team
  • Blog
  • Privacy

Copyright © 2020 nNovation LLP. All Rights Reserved