how PR can respond to data breaches

Image by Gerd Altmann from Pixabay

The recent data security breaches of multiple federal agencies highlight the ongoing threat of cyber attacks and breaches. Hackers with suspected ties to Russia gained access to government systems through third-party vendor SolarWinds. Up to 18,000 SolarWinds customers may have been running software with the vulnerability that permitted the breach, CNN reports. The vulnerability is also common among other companies, says cybersecurity firm FireEye, which was also hacked in a separate incident.

There were 2,953 publicly reported breaches in the first three quarters of 2020, a 51% decrease compared to the same period last year, according to Risk Based Security. By the end of the second quarter, 2020 was already the worst year ever in terms of the total number of records exposed.

Facing enough problems with the Covid-19 pandemic, companies deprioritized IT projects, and employees working remotely opened new vulnerabilities. Hackers have become increasingly sophisticated and vicious. In addition to theft of personal financial information, companies now fear ransomware attacks, and politically motivated attacks or “hacktivism.”

Security breaches bring legal, regulatory and brand reputation risks. The company stock price may plunge, at least temporarily. An ensuing PR crisis may seriously damage the brand’s reputation and customer relationships.

“When a breach is revealed, the attacked company is portrayed not as a victim, but as negligent and, in a subtle way, complicit in the event that ultimately exposed partners and customers,” writes Steve McGaw, CMO of AT&T Business Solutions, for the PRSA.

Recommended Best Practices for Cybersecurity

Preparation is the best defense. A security breach is possible no matter how skilled your IT team. In a common social engineering trick, hackers pose as company employees and ask real employees for passwords. Or they pose as friends and send malicious links. Training employees to be on guard against such tricks is the best defense.

Create a communications plan for security threats that establishes clear protocols for how to respond and how to inform the public and stakeholders.

“The worst thing you can do for your brand once news of a breach hits is to have to scramble to find out who to work with to understand the issue, who is communicating to what audience, and who needs to be looped in,” McGaw says.

Benchmark and train. Companies are more likely to be confident in their crisis management plan when they regularly benchmark against best practices, conduct drills on key risk areas at least once a year, and name a formal crisis management team. Some companies recruit outside firms to run PR crisis simulation drills. The best drills reproduce fast-moving PR crises with a frightening degree of reality.

Establish the facts. When a data breach occurs, the first step is to hold a “what do we know session” that includes top-level executives from legal, PR, security, IT and any other relevant department. It’s recommended to develop strong working relationships among those groups before a crisis strikes.

The initial meeting with key personnel is to determine what data was compromised, the number of people impacted and potentially impacted, how they should be alerted, if the security hole has been fixed and what law enforcement agencies should be notified.

Communicate. Promptly and honestly disclose what you know. If you’re still searching for answers, say it. People don’t expect you to know all the answers immediately, but they do expect communication. Ongoing updates as the crisis evolves is crucial for maintaining trust. Communicate directly, not through the press, with the affected individuals. Setting up a special website or an easily accessible page on the corporate website gives those individuals and the press a central location to obtain accurate information.

FireEye’s swift and transparent communications response after its breach won commendation from crisis communications  experts and safeguarded its reputation. It first issued a clear, concise, and honest blog post that described the breach and its response.

“By getting ahead of media coverage or unintentional disclosure, FireEye owned the narrative and protected itself from long-lasting reputation fallout and financial impact,” writes Kaylin Trychon, vice president at ROKK Solutions, in PR News.

Create a war room. A 24/7 hotline to a contact person or department handling inquires and a script responding to questions can ease the communication flow. Prioritize media queries.

Use simple language. Cybersecurity is a complex field full of abstruse jargon. Such esoteric vocabulary can mystify the public and journalists, ultimately creating distrust. Simple and clear language is best.

Take responsibility. Apologize for the inconvenience and disruption. Sincerely. Without excuses. To rebuild trust, the best apologies include an indication of steps being taken to protect affected individuals, to resolve the issue and to prevent further problems. Owning up to the breach can restore trust in the organization. A clear statement detailing what steps will be taken to avoid future breaches is vital, writes PR crisis specialist Emily Dent for Computer Weekly. Taking responsibility implies that the organization intends to make sure it doesn’t happen again. Blaming hackers or others implies that the issue is out of the company’s hands.

Keep key stakeholders continuously informed. Involve top management in actions during the crisis and the preparation of the crisis communications plan. Without timely information, conjecture and rumor can spread. However, experts recommend against releasing all the details of a breach.

“We typically would not communicate all the details of a breach to all employees,” Chris Leach, chief technologist for HPE Security Services, told MIT Technology Review. “We’ll only share enough to make sure they’re confident that we’re handling it, and that this is information they could, and should, share with their customers.”

Monitor media and social media. Close monitoring of social media enables you to know about any misinformation among the public and to know when people say something that requires an immediate response.

“As 2021 planning kicks into high gear, it is time communication teams get smart on cybersecurity and advocate for their organization to stay ahead of any crisis with a strong, practiced strategy,” Trychon concludes.

Bottom Line: Risks of data breaches have become even greater this year. It’s essential for corporate communications teams to rise to the occasion and prepare contingency plans. A swift response, taking responsibility and explaining how the organization will prevent future breaches are key.

This article was first published on Dec. 19, 2018, and updated on Dec. 17, 2020.

Sign up for a free trial of the media monitoring and measurement service