Why planning what you’re going to say about your data breach well BEFORE you’ve even experienced a cyber incident makes WAY more sense than you’d think…
Proactive and engaged businesses love communicating with their customers and stakeholders. Whether it’s sending out a new feature update or a post to the socials about a conference they spoke at, it’s a chance to build brand awareness, engage with current and prospective clients, and contribute to the broader industry knowledge pool.
What’s much less fun is having to communicate bad news – and when it comes to bad news in business right now, a data breach is one of the worst scenarios imaginable.
Despite the looming spectre of what havoc a high-profile data breach might wreak on their organisation, following the fallout from the Optus, Medibank and other 2022 breaches, nearly 40% of Australian businesses still report having no cyber incident response plan in place!
Not if, but when you experience a security incident of any kind, the difference between a fast descent into chaos and maintaining effective control over your response and your reputation will ultimately come down to two key factors … Preparedness and Communication. This means knowing who to ask, where to get the information you need, who is holding the ball AND then when, where and how you are going to communicate that information to the people that need it!
Our data breach response team has worked with a public relations and crisis communications agency to identify five golden rules for planning and delivering effective data breach communications.
The Five Golden Rules for Effective Data Breach Communications
1. Prepare a Comms Plan
An often-overlooked part of an cyber incident response planning is considering the how, what, when, and who of authorising and providing updates internally and externally when the data has literally hit the fan. The Comms Plan portion of your overall Cyber Incident Response Plan needs to cover:
- Who’s responsible for communications and who you’ll communicate with;
- In what order, at what key points and through what channels;
- Who will have input and sign off on your comms, content and materials;
- Who will brief spokespeople and the media, as well as;
- Strategies for managing media enquiries.
To really ensure your Comms Plan is ready to fly, you should consider preparing communications templates covering a range of audiences and channels. No two crises are identical, and your templates will require a fair bit of customisation if and when they need to be used in a live crisis, but having pre-approved language and general guidelines to work with at least allows you to hit the ground running.
But not every organisation has a communications expert in-house ready to spring into action and craft the time-critical and tailored comms you’ll need. Best options here are to proactively leverage any crisis communications capabilities available via your marketing or legal partners, or set about establishing a relationship with a shortlist of experienced experts you can call upon in the event of a crisis.
2. Put your own oxygen mask on first
When dealing with a cyber incident, many companies first thoughts naturally turn to what they’ll tell their customers and the public. But communicating with your team is equally, if not even more important, as a first step.
Before you send anything out externally, make sure you communicate what you have established so far to your own teams, including:
- What’s occurred, and what’s affected to the extent known so far;
- Any steps you’ve already taken to contain, mitigate or rectify or the issue;
- Any impact on your internal capabilities to access systems or continue operations;
- Any business continuity provisions that have been enacted;
- How much detail you will be providing to customers;
- The resources or support you intend to make available to staff and to customers.
Keeping your people updated as the situation develops is a must, with one important caveat… Always work on the assumption that any information you share internally can and will find its way outside of your business. It may be the case that different levels within your organisation fall into different need-to-know-basis categories.
In any case, providing consistent messaging, as well as approved messaging packages that those speaking directly with customers can confidently refer to and use will it make it easier for your staff and customers to maintain calm throughout the incident response and recovery phases.
3. Communicate like you’re…eight!
One of the most challenging aspects of a data breach is how long it can take to get a clear picture of exactly what’s happened. In the early stages of an incident, you probably won’t know the extent of the breach. You likely won’t yet know which systems and customers are impacted or which information was accessed and how – and that makes communication hard.
Nevertheless, it is absolutely crucial to let people know what you do know – however little that may be – in clear, explain-it-to-me-like-I’m-eight language with direct, easy-to-follow instructions on whether they need to watch and wait or take some sort of immediate action.
The issue of when to communicate can be a tricky one. It’s feels like a bit of a Catch-22; go too early and you risk creating unnecessary panic and muddying the waters, go too late and you may be accused of stalling or attempting a cover up, which can do more reputational damage than the initial breach itself.
No two cyber incidents are ever alike, but here are some general tips on letting your interested parties know “We know, and we’ve got this!”
- Provide as much information as is necessary and appropriate as soon as it becomes available;
- Clearly state when recipients should expect to receive a next update;
- Keep that commitment and deliver those follow-up comms on schedule, even if it’s just to stay you’re still investigating.
- When actions have been or need to be taken, identify exactly who is responsible for taking which actions and when;
- Provide directions for how your customers can access more information, resources or assistance;
- When it’s all said and done, send your key stakeholders a post-incident summary, including your learnings and what you’ve put in place to prevent a reoccurrence.
4. Offer accountability… Not excuses
A cyber-attack – particularly one that exposes customers’ sensitive data – is a fast track to eroding consumer trust in your brand or service. Take a look at Optus, for example, who following its very large and very public 2022 incident, was named Australia’s most distrusted brand in Roy Morgan’s 2023 Industry Trust & Distrust Rankings.
Rebuilding that trust and stemming the spread of reputational damage hinges on striking the right mix of measured transparency, honesty and humility. Being open and honest in the wake of cyber-attack is not only the right thing to do, it’s a proven strategy; and fewer words go further to rebuilding broken trust than a genuine apology.
Fortunately, in Australia, the law generally recognises that saying sorry is a gesture of decency rather than an admission of culpability. Nevertheless, it’s always a wise move to run your communications through a legal team or advisor to ensure that your messaging is not only empathetic, but legally sound.
As we’ve seen in the handling of corporate security incidents in recent years, there are good ways to do this, and counterproductive ways.
Good apologies, including any admission of security failings, need to be genuine, excuse-free, and offer to do as much of the heavy lifting required to rectify the situation for stakeholders. Again, reiterate the steps you’re taking to review and rectify the situation, as well as prevent similar incidents in the future.
5. Don’t just close the loop… Circle right back around
Communication must always flow two ways. Some organisations will believe their job is done once the threat has been contained, recovery actions set in motion and they’ve “closed the loop” with a raft of well-crafted communications that have been sent out across various channels.
However, recovering confidence and trust after any incident – cyber or otherwise – means finding ways to keep the lines of communication open by actively encouraging stakeholders, both internal and external, to raise their personal data, work practice, cyber security or other concerns, questions, and feedback, and contribute to building and maintaining a culture of better cyber security.
*Acknowledgements: With thanks for contributions by Patrick Rasmussen, Public Relations Exchange.