nNovation LLP

Small Canadian regulatory law firm with a big presence

Anne-Marie Hayden

10 crisis communications tips for privacy breaches

by Leave a Comment

Privacy breaches are happening all the time and they can have dire consequences. When (not if) you experience a breach, the stakeholder trust that’s been built in your organization is on the line.

How you handle the breach can affect how you maintain and, if necessary, rebuild that trust. How you communicate when there’s a breach is an important part of that equation.

Here, I wanted to share a few communications tips to help plan for and address breaches a little more smoothly.

1. Recognize breach risks in risk planning

Many organizations have corporate risk profiles. They help to identify, understand and mitigate a wide range of risks and to address issues effectively when they do arise. These days, if your risk profile doesn’t include a breach as a possible risk, something’s missing. Once a breach is identified as a risk, the mitigating strategies include things like tightening up security safeguards, developing a breach response plan and complementing that plan with a strategy for communications.

2. Include comms in the crisis planning and response

Every organization should identify, establish and train its crisis planning and response team – before something happens. Each member’s role and responsibilities should be made clear. Since most crises include some form of communication, make sure to include a communications specialist in this group.  

3. Prepare a crisis comms strategy

With most breaches, time is not on your side. Having certain things ready in advance can be a real lifesaver. Given this, the breach response plan should have a crisis communications strategy baked right into it. A comms strategy includes things like objectives, target audiences, messages and tactics. The strategy should contemplate potential scenarios and should include some pre-drafted processes, messages, checklists and templates.

4. Determine your overall breach response goal

Each crisis has unique attributes and it’s difficult to plan for every possible scenario or question. So, when a crisis does hit, it’s helpful to take a moment to determine your organization’s goal in dealing with the incident, in light of its corporate values. What will success look like at the end of it? Making sure the goal you establish is clear, brief, succinct and understood will help everyone involved to focus the limited resources and efforts, as well as the communications tactics. It will also help you answer questions that come up, because you’ll measure the answer against whether it will help you achieve that goal.

5. Identify and understand your audiences

There are often many different stakeholders to consider in the event of a breach – customers, investors, media, regulators, even police, to name a few. Each one needs to be considered carefully, as they may require different types of information, there are likely legal considerations in dealing with each one, and there may also be requirements and preferences insofar as preferred and most effective communications channels

6. Don’t forget your staff

This one deserves its own bullet because unfortunately, sometimes, organizations are so focused on their external audiences that they forget their internal ones, which are so vital to maintaining stability and operations in the face of a crisis. Make sure staff are included in your list of audiences in the communications strategy. Ideally, once you know an incident like a privacy breach has occurred in your organization, your staff hear about it from you instead of from the media.

7. Balance the risks of a media response

Speaking of media, how do you manage media effectively in the event of a breach?

Certainly, don’t speak to the media about a breach before your response team is activated and involved, so that legal and other issues can be addressed, and before you have certain basic facts straight. Remember, though, that the news cycle moves quickly and that waiting too long on a media decision can put you in a defensive light. Not all breaches need to be shared proactively with the media – in many cases that would be overkill. That being said, in the right circumstances, a media request from an established outlet or even a proactive media announcement and briefing about an incident can be an opportunity to be heard, to deliver your key messages and to demonstrate openness and transparency early on.

8. Have clear, consistent messaging

I noted earlier that different audiences might require different information, depending on who they are, the impact of the breach on them and their relationship with your organization. The main messages must, however, be very consistent across the board. Regulatory required notices and reports need to include all the legally mandated points, but your other communications shouldn’t be drafted in legalese. Consider focusing your communications on the 5 Ws and keeping the language simple and straightforward. Also keep in mind that most people have limited numeracy skills, so pay special attention to the way you present numbers, to reduce the possibility of confusion.

9. Assess and integrate post-breach comms

Your organization’s reputation might take a hit, in the moment, when a breach occurs. But a breach story doesn’t need to define your company. Think about the goal established at the outset and make sure that your breach response plan and the accompanying communications strategy consider both the shorter and longer term. Undertake a post-mortem and, as part of the process, explore and implement communications tactics that are going to help you move beyond surviving the breach to thriving post-breach. Remember that in this era of frequent privacy breaches, demonstrating resilience in how your organization handled a breach can go a long way toward maintaining or rebuilding that hard-earned trust.

10. Practise, practise, practise

While there’s some debate on the merits of the 10,000 hours rule – the one that says you can be good at anything if you just put in the time – there’s no question you’ll be in a better position if you dedicate time reducing breach risks and planning for them. So, remember to practise, practise, practise. And with all the right people at the table. Too often, tabletop exercises are limited to the IT and legal folks. But we urge you to invite comms pros to the tabletops and practise sessions too, to work through the crisis and breach response plans, strategies, scenarios and prep materials with these colleagues. You’ll be glad you did!

Tips for simplifying privacy communications

by Leave a Comment

Guidance on consent often emphasizes that notices need to be in plain, easy-to-understand language for the consent to be meaningful. The thing is, the guidance doesn’t often tell you exactly how to do that.

In a recent speech to records and information management professionals, I offered a few concrete tips on how to improve your privacy communications.

Here are my top 10 takeaways:

  1. You’re almost always writing for online, so apply best practices in web writing when drafting privacy notices and policies.
  2. Make sure your sentences are short and concise, with one idea each.
  3. Use action words and avoid the passive voice.
  4. Eliminate jargon, acronyms and abbreviations.
  5. Use sub-heads – they make your text scannable.
  6. Use bullets and numbered lists instead of paragraphs.
  7. Lead with the “top tasks” – the main reason people go to that page.
  8. Use layers to point to more in-depth information.
  9. Ask someone who’s less familiar with your subject matter to review.
  10. Run your content through readability and accessibility tests that are available on most word processors.

Applying these best practices can help your organization be more clear and transparent about its privacy practices. Even easier… you can reach out to us, at nNovation LLP, for help with it.

The risks and rewards of CPOs playing a role in communications

by Leave a Comment

I participated on a panel recently, at an event organized by Wirewheel and with some other distinguished folks, to explore the idea of the chief privacy officer as spokesperson. The event was under Chatham House rules, so I can’t provide a play-by-play of the conversation, but I did want to take a moment to share some thoughts I had on this topic, leading up to and during the event.

Let’s start by considering a few things we know: that people care about their privacy – otherwise, there wouldn’t be laws and we wouldn’t be in business; that more and more, people want to do business with organizations they feel are ethical; that doing privacy well builds customer trust; and that regardless of the role consent may play down the road, the need for openness and transparency isn’t going away anytime soon. 

I believe that with the right foundation, making the CPO – the subject-matter expert on and champion for privacy – more proactively visible in an organization’s communications can be a way to demonstrate more transparency and accountability, and that it has the potential to boost an organization’s credibility and help it stand out as privacy leader in the marketplace.

What does it take for a CPO to delve into the wonderful world of communications? Granted, every situation is different. It certainly depends on the maturity of their privacy framework and whether they’re confident the organization’s privacy is in good shape. If not, we suggest you consider getting your privacy “house” in order and nNovation can certainly help. It also depends on whether collecting and protecting personal information is a relevant aspect of the business model. It depends on the company’s communications policy and whether it’s open to a more decentralized approach and the CPO’s level of knowledge on the subject. And it certainly takes collaboration with communications experts – within or outside the organization – as well as proper planning, training and practice.

What form can this take? I’m not suggesting that the CPO needs to get out there tomorrow to pitch and grant interviews to the Globe and Mail on their company’s privacy practices or that the CPO should take over the comms function – we need to recognize that everyone has their role. What I am suggesting however is that with the right planning, the CPO may be the best person, as the subject-matter expert, to respond to certain media requests, pen a blog, submit an article to a trade publication, participate in a podcast, give a speech on the topic and even play a role in privacy-focused marketing. Exploring the potential of these activities with the company’s comms team can help ensure the CPO is well prepared with clear key messages, strategies for responding to challenging questions, and armed with best practices and things to avoid. In this world, let’s face it: almost everyone is a communicator to a degree. These are very transferable skills and in my experience it’s best to get your feet wet and not wait until something goes wrong to try to develop these muscles.

What about when things do go wrong? There can also be a role for the CPO in public communications, in the unfortunate event of a privacy breach. If the organization has done a risk assessment, collects personal information and has identified cyber security as a risk, the company likely has mitigation strategies in place. It’s important to remember that these should go beyond the technological ones. Breach preparedness is key to successfully weathering a breach, reputation intact. Building a communications strategy directly into that breach response plan is essential. Part of the equation is ensuring subject matter experts, like the CPO, are ready, willing and, most of all, able. Sure, there are certain occasions when the CEO will have to be the spokesperson and there are others when it might make sense for corporate communications to handle things. I would argue that in an era of openness and transparency, when privacy is paramount, considering a more proactive role for the CPO in communications and a public role in the event of an incident is a way to help establish trust and credibility – in either scenario. Are there risks associated with the CPO being out there?  Sure, but I’d encourage organizations to weigh those against the advantages, as well as the risks of not doing so.

I have spent more than 25 years as a communicator and 18 years in privacy. After a brief time in the culture and heritage sector, I came back to privacy not only because of the great importance of the issue, but because I think deeper links can be made between these two often separate ideas – communications and privacy – and I want to play a role in that. Privacy is sometimes seen as standing in the way of certain communications and marketing efforts. I’d like to concentrate on updating that narrative. If you look closely at the privacy principles, you’ll see that about half of them can be significantly advanced through effective communications. We can help organizations understand and implement communications strategies that will enable them better comply with privacy requirements on the front end, better respond publicly to privacy incidents when they do occur and ultimately contribute to better positioning them as the privacy-forward organizations they are… and can be.