Mitigating Reputational Risk in Data Breach Response

Whether your data breach involves 500 or 5 million records, affected consumers, employees, investors – and ultimately regulators – will expect to hear from you. What happened? Were you proactive in your security and ability to detect a breach? How will you make things right and prevent it from happening again? 

Being prepared to communicate to an array of audiences throughout the crisis is a critical element of having a defensible cybersecurity strategy. Experts in breach notification and public relations can play a vital role in helping organizations mitigate the effects of a data breach, including:

• Reducing the impact of a breach on customers, employees and partners
• Lessening the risk of subsequent litigation
• Saving time and money for your organization and your cyber insurer 
• Minimizing damage to your brand and bottom line

The Incident Is Just the Beginning

In the first hours (and even days and weeks) of a crisis, breach victims often don’t have a complete picture of what has happened. Breaches can be made worse by misguided public relations efforts that take too long, fail to come off as transparent or provide statements that must be corrected as the forensic investigation uncovers new details.

A proactive approach when thinking about planning for a data breach has proved to be most effective. Organizations that develop thoughtful and holistic crisis communications plans enable their incident response teams to begin restoring trust among their base from the very first announcement. Critically, the efforts must continue throughout all touchpoints until the incident is resolved.The reach of a communications plan isn’t limited to reputation and customer trust. All 50 states, as well as many governments around the world, have breach notification laws that impact the timing of notification. Having a communications plan sorted ahead of time enables your organization to ensure you are in compliance with notification laws, which in turn helps to avoid fines or legal costs piling on existing financial losses. Critically, looping in your outside counsel or legal team during a proactive planning phase will alleviate some of the tasks needed post-breach.

Pre-Breach Communications Planning

Crisis communications experts can help your organization better position itself for a potential breach by:

• Developing a crisis communications playbook, and updating it quarterly, that covers (at minimum):
  • The contact information for all internal and external members of the response team.
  • Comprehensive lists of all audiences, including employees, partners, customer bases, members of the media and how to reach them.
  • Incident response steps that include prerequisites for going public, potential vulnerabilities, and action prompts for anticipated scenarios.
  • Media policies to be distributed firmwide before an incident and on a regular basis.
  • Drafts of communications materials, including notification letters, press releases, social media statements, website materials, press materials and holding statements.
• Running a tabletop exercise with the full team. While team members may not react during the actual crisis in the same way they do during a tabletop exercise, practicing their roles will help.

Responding to a Breach

In the event of a breach, PR partners can provide the following support:

• Help you understand the media landscape surrounding your industry and how that will impact coverage and audience response.
• Serve as an intermediary with the media when necessary to ensure that you are keeping up with requests, not missing the opportunity to tell your side of the story and preventing the spread of inaccurate information.
• Counsel on how to communicate with audiences and what to say, depending on such factors as where you are in the incident and who the audiences are. 
• Advise on how and when to leverage social media – e.g., solely as a tool for monitoring client sentiment or as a way to keep parties updated.
• Liaise between legal team and client to ensure communications are meeting the needs and goals of all parties.

Note: Your internal or external counsel should formally engage the breach notification partner and PR firm to ensure privilege extends to all subsequent activities and communications. Also be sure to document all communications efforts and remediation steps, which can contribute to your organization’s defense in the event of litigation.

Customized, Compliant Notifications and Beyond

In close coordination with your public relations experts, your breach notification partner can counsel on how to communicate with affected individuals.

Highly experienced breach notification partners can help your organization avoid potential pitfalls as well as optimize your outreach. For example, when one of Kroll’s clients drafted a notification letter that indicated their security incident was caused by a specific employee, Kroll recommended removing this to preempt requests for information on the employee or attempts to contact the employee directly. In another case, Kroll was sent 26 letter versions to notify the impacted population. Kroll guided the client on letter variances and was able to decrease the number of versions down to three. This alleviated the client’s burden, reduced their costs and greatly facilitated notification.

While legal counsel will be instrumental in producing compliant notification, your breach notification partner can help ensure you leverage your organization’s defensible narrative. The following sample outlines how a notification letter can be structured and the details it might communicate:

• When/Where did the theft/breach occur?
• What happened? What was lost or stolen?
• What is [Client] doing about this?
• [Sample: Client immediately notified local law enforcement and is cooperating with them as they continue their investigation.]
• What is [Client] doing to prevent this from happening in the future?
• [Sample: [Client] has examined and analyzed existing procedures and systems to ensure appropriate security measures are (reinforced/in place).]
• Why wasn’t I notified sooner?
• [Sample: [Client] immediately notified local law enforcement officials and launched an investigation into the incident. The investigation included a review of internal security systems to confirm that procedures already in place are strengthened to further safeguard against a breach of data security in the future. Last, it was imperative that impacted individuals were identified and their contact information gathered into a consistent format for notification. This investigation was a time-consuming process, but Client believed it was necessary to ensure appropriate precautions and next steps were taken.]

Your breach notification partner should be well versed in best practices relating to scrubbing data, checking databases, using first class mail, etc., to help optimize speed and deliverability of notices while reducing unnecessary costs. When appropriate, an email or customized website could serve as alternate forms of notification. Your legal, PR and breach notification partners will ensure these are created with the same level of attention and detail to support affected individuals while also monitoring engagement.

Additionally, in selecting a breach notification partner, an important criteria to consider is their ability to quickly establish call center support, staffed by skilled, multilingual representatives that can function as a seamless extension of your company.

Communicating and Supporting, Not “Spinning”

A crisis communications firm’s role isn’t to cover up a data breach or spin it into something it isn’t. Rather, they will focus on managing the communications process in a way that will minimize reputational risk.

An experienced, full-service breach notification provider will have the resources and expertise to guide and optimize all your outreach and remediation efforts, including those directed by PR firms and legal counsel. Working together, they can help ensure your organization is in the best defensible position while also restoring your reputation, brand and relationship with stakeholders.

This article is based on a webinar that was presented by Brian Lapidus, Global Leader of Kroll’s Identity Theft and Breach Notification practice, and Zach Olsen, President, and Kelsey Eidbo, Senior Client Supervisor, of Infinite Global. For more insights on this topic, please click here to listen to the webinar.