Whether your data breach involves 500 or 5 million records, affected consumers, employees, investors – and ultimately regulators – will expect to hear from you. What happened? Were you proactive in your security and ability to detect a breach? How will you make things right and prevent it from happening again?
Being prepared to communicate to an array of audiences throughout the crisis is a critical element of having a defensible cybersecurity strategy. Experts in breach notification and public relations can play a vital role in helping organizations mitigate the effects of a data breach, including:
In the first hours (and even days and weeks) of a crisis, breach victims often don’t have a complete picture of what has happened. Breaches can be made worse by misguided public relations efforts that take too long, fail to come off as transparent or provide statements that must be corrected as the forensic investigation uncovers new details.
A proactive approach when thinking about planning for a data breach has proved to be most effective. Organizations that develop thoughtful and holistic crisis communications plans enable their incident response teams to begin restoring trust among their base from the very first announcement. Critically, the efforts must continue throughout all touchpoints until the incident is resolved.The reach of a communications plan isn’t limited to reputation and customer trust. All 50 states, as well as many governments around the world, have breach notification laws that impact the timing of notification. Having a communications plan sorted ahead of time enables your organization to ensure you are in compliance with notification laws, which in turn helps to avoid fines or legal costs piling on existing financial losses. Critically, looping in your outside counsel or legal team during a proactive planning phase will alleviate some of the tasks needed post-breach.
Crisis communications experts can help your organization better position itself for a potential breach by:
In the event of a breach, PR partners can provide the following support:
Note: Your internal or external counsel should formally engage the breach notification partner and PR firm to ensure privilege extends to all subsequent activities and communications. Also be sure to document all communications efforts and remediation steps, which can contribute to your organization’s defense in the event of litigation.
In close coordination with your public relations experts, your breach notification partner can counsel on how to communicate with affected individuals.
Highly experienced breach notification partners can help your organization avoid potential pitfalls as well as optimize your outreach. For example, when one of Kroll’s clients drafted a notification letter that indicated their security incident was caused by a specific employee, Kroll recommended removing this to preempt requests for information on the employee or attempts to contact the employee directly. In another case, Kroll was sent 26 letter versions to notify the impacted population. Kroll guided the client on letter variances and was able to decrease the number of versions down to three. This alleviated the client’s burden, reduced their costs and greatly facilitated notification.
While legal counsel will be instrumental in producing compliant notification, your breach notification partner can help ensure you leverage your organization’s defensible narrative. The following sample outlines how a notification letter can be structured and the details it might communicate:
Your breach notification partner should be well versed in best practices relating to scrubbing data, checking databases, using first class mail, etc., to help optimize speed and deliverability of notices while reducing unnecessary costs. When appropriate, an email or customized website could serve as alternate forms of notification. Your legal, PR and breach notification partners will ensure these are created with the same level of attention and detail to support affected individuals while also monitoring engagement.
Additionally, in selecting a breach notification partner, an important criteria to consider is their ability to quickly establish call center support, staffed by skilled, multilingual representatives that can function as a seamless extension of your company.
A crisis communications firm’s role isn’t to cover up a data breach or spin it into something it isn’t. Rather, they will focus on managing the communications process in a way that will minimize reputational risk.
An experienced, full-service breach notification provider will have the resources and expertise to guide and optimize all your outreach and remediation efforts, including those directed by PR firms and legal counsel. Working together, they can help ensure your organization is in the best defensible position while also restoring your reputation, brand and relationship with stakeholders.
This article is based on a webinar that was presented by Brian Lapidus, Global Leader of Kroll’s Identity Theft and Breach Notification practice, and Zach Olsen, President, and Kelsey Eidbo, Senior Client Supervisor, of Infinite Global. For more insights on this topic, please click here to listen to the webinar.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Services include drafting communications, full-service mailing, alternate notifications.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Ensure that your cyber security policy has the appropriate controls needed to keep your organization's information secure with a remediation plan in place in the event of an incident.