According to Breach Level Index, 2017 was a record year for data breaches with more than 2.6 billion data records compromised and nearly three-quarters of breaches originating from ‘malicious outsiders.’ Data breach incidents by companies operating globally across multiple industries, from retail and financial to healthcare and educational institutions, have impacted nearly every American household, concurrently compromising the affected company’s market position and shaking consumer confidence.
The outcome of a data breach event can vary materially based on a number of factors. Breaches in the retail and financial industries have resulted in the loss of customers, the decline in stock values, and even class action lawsuits, while some healthcare organizations have been forced into bankruptcy following breaches that exposed patients’ private health information.
While a breach itself may cause significant damage to any brand, a company’s response plays a most critical role in protecting corporate reputation and, ultimately, restoring consumer confidence. Despite emerging global regulations outlining specific response requirements and reporting timelines, companies must consider how their breach response plans account for – and position at the forefront – strategic stakeholder communication.
The 24-hour news cycle and real-time access to information can elevate a data breach event to broad consumer awareness in hours. Company visibility and engagement with its internal and external audiences in the wake of a data breach is paramount to easing immediate concerns and conveying a long-term commitment to breach remediation. From incident response planning through the completion of consumer remediation, companies responding to data breach can protect their brands and reputation by remaining visible and strategically communicating with stakeholders through every stage of response.
Incident response planning
Proactive incident response planning underpins a company’s ability to respond quickly and effectively to breach situations. Comprehensive plans can help preserve corporate reputation specifically by accounting for and outlining stakeholder communications objectives and tactics, ensuring the right communications are delivered at the right time throughout the response cycle.
Breach response teams, inclusive of representatives from all company departments, particularly executives, in-house communications professionals, and third-party data breach providers, should be identified in advance and trained on response protocols prior to crisis situations. Response teams should allocate time and resources to conduct annual mock data breach exercises to ensure processes are current and adequately address all potential contingencies.
Finally, a detailed record of all response plans, planning activities, and mock exercises should be recorded and provided to clients as evidence of a company’s commitment to data protection.
Communications Best Practices
- Prepare and maintain a list of company stakeholders and contact information to facilitate rapid response and real-time communication in the event of a breach. The list should include employees, customers, regulatory bodies and enforcement agencies, and industry news media. Delegate a response team member to update this list quarterly.
- Develop draft response communications and alerts tailored for specific parties in advance to reduce approval timelines following a breach. Draft responses should outline only that information that is known to be true at the time of release and is relevant to the recipient.
- Anticipate and prepare frequently asked questions (FAQs) and resources for stakeholders that can be easily updated with breach-specific information and deployed in near-real time following a breach.
- Identify company spokespersons to leverage for media inquiries and other public statements, and conduct professional media training in advance so they are prepared to deliver sufficient detail without compromising the integrity of the response.
When a data breach occurs, the affected parties must be notified within a timeframe that
satisfies state, federal, and industry regulations while also taking into consideration the impact that notification will have on both the brand and its consumers. Ideally, consumers will learn of the data breach directly from the company, allowing it to maintain control of the messaging and details, and outline remediation plans at the outset.
Together with the data breach provider, company leadership should assess an appropriate level of visibility, recognizing that in many cases, a company’s visibility following a crisis event may lead to increased brand favorability. Too often, companies avoid associating themselves with a breach response, when in reality, remaining connected to the breach resolution is paramount to preserving corporate reputation. Executives should be prepared to express regret without liability in initial internal and external communications following a data breach.