Privacy breaches are happening all the time and they can have dire consequences. When (not if) you experience a breach, the stakeholder trust that’s been built in your organization is on the line.
How you handle the breach can affect how you maintain and, if necessary, rebuild that trust. How you communicate when there’s a breach is an important part of that equation.
Here, I wanted to share a few communications tips to help plan for and address breaches a little more smoothly.
1. Recognize breach risks in risk planning
Many organizations have corporate risk profiles. They help to identify, understand and mitigate a wide range of risks and to address issues effectively when they do arise. These days, if your risk profile doesn’t include a breach as a possible risk, something’s missing. Once a breach is identified as a risk, the mitigating strategies include things like tightening up security safeguards, developing a breach response plan and complementing that plan with a strategy for communications.
2. Include comms in the crisis planning and response
Every organization should identify, establish and train its crisis planning and response team – before something happens. Each member’s role and responsibilities should be made clear. Since most crises include some form of communication, make sure to include a communications specialist in this group.
3. Prepare a crisis comms strategy
With most breaches, time is not on your side. Having certain things ready in advance can be a real lifesaver. Given this, the breach response plan should have a crisis communications strategy baked right into it. A comms strategy includes things like objectives, target audiences, messages and tactics. The strategy should contemplate potential scenarios and should include some pre-drafted processes, messages, checklists and templates.
4. Determine your overall breach response goal
Each crisis has unique attributes and it’s difficult to plan for every possible scenario or question. So, when a crisis does hit, it’s helpful to take a moment to determine your organization’s goal in dealing with the incident, in light of its corporate values. What will success look like at the end of it? Making sure the goal you establish is clear, brief, succinct and understood will help everyone involved to focus the limited resources and efforts, as well as the communications tactics. It will also help you answer questions that come up, because you’ll measure the answer against whether it will help you achieve that goal.
5. Identify and understand your audiences
There are often many different stakeholders to consider in the event of a breach – customers, investors, media, regulators, even police, to name a few. Each one needs to be considered carefully, as they may require different types of information, there are likely legal considerations in dealing with each one, and there may also be requirements and preferences insofar as preferred and most effective communications channels
6. Don’t forget your staff
This one deserves its own bullet because unfortunately, sometimes, organizations are so focused on their external audiences that they forget their internal ones, which are so vital to maintaining stability and operations in the face of a crisis. Make sure staff are included in your list of audiences in the communications strategy. Ideally, once you know an incident like a privacy breach has occurred in your organization, your staff hear about it from you instead of from the media.
7. Balance the risks of a media response
Speaking of media, how do you manage media effectively in the event of a breach?
Certainly, don’t speak to the media about a breach before your response team is activated and involved, so that legal and other issues can be addressed, and before you have certain basic facts straight. Remember, though, that the news cycle moves quickly and that waiting too long on a media decision can put you in a defensive light. Not all breaches need to be shared proactively with the media – in many cases that would be overkill. That being said, in the right circumstances, a media request from an established outlet or even a proactive media announcement and briefing about an incident can be an opportunity to be heard, to deliver your key messages and to demonstrate openness and transparency early on.
8. Have clear, consistent messaging
I noted earlier that different audiences might require different information, depending on who they are, the impact of the breach on them and their relationship with your organization. The main messages must, however, be very consistent across the board. Regulatory required notices and reports need to include all the legally mandated points, but your other communications shouldn’t be drafted in legalese. Consider focusing your communications on the 5 Ws and keeping the language simple and straightforward. Also keep in mind that most people have limited numeracy skills, so pay special attention to the way you present numbers, to reduce the possibility of confusion.
9. Assess and integrate post-breach comms
Your organization’s reputation might take a hit, in the moment, when a breach occurs. But a breach story doesn’t need to define your company. Think about the goal established at the outset and make sure that your breach response plan and the accompanying communications strategy consider both the shorter and longer term. Undertake a post-mortem and, as part of the process, explore and implement communications tactics that are going to help you move beyond surviving the breach to thriving post-breach. Remember that in this era of frequent privacy breaches, demonstrating resilience in how your organization handled a breach can go a long way toward maintaining or rebuilding that hard-earned trust.
10. Practise, practise, practise
While there’s some debate on the merits of the 10,000 hours rule – the one that says you can be good at anything if you just put in the time – there’s no question you’ll be in a better position if you dedicate time reducing breach risks and planning for them. So, remember to practise, practise, practise. And with all the right people at the table. Too often, tabletop exercises are limited to the IT and legal folks. But we urge you to invite comms pros to the tabletops and practise sessions too, to work through the crisis and breach response plans, strategies, scenarios and prep materials with these colleagues. You’ll be glad you did!