By Chris Thomas, President of Intrepid
Data breaches are among the most challenging, frustrating and anxiety-ridden situations, especially for contractors. Once you discover someone has access to data and/or systems, the process of containing the situation, assessing the damage and responding to your client and other impacted stakeholders is a long, arduous, embarrassing and costly process.
While the best approach to mitigating the damage is thorough cyber crisis communication planning and preparation, how do you respond in the event it’s too late and you find yourself neck deep trying to manage a breach?
The following are three quick tips:
Engage Crisis Communication Experts Early: You wouldn’t wait for a smoldering building to be fully engulfed before calling the fire department. The same should be true with crisis communication during a data breach. The sooner you can bring in crisis communication experts, the better the outcome. If you hire an agency specifically for crisis communications, there is case law that supports the same level of privilege as attorney/client. As such, this should help alleviate fears from legal and provide you with a greater level of confidence in sharing sensitive information.
Identify and Prioritize Key Audiences and Communications Vehicles: Who you address and how you communicate will generally be different according to your organization and the circumstances. In some cases, organizations working as a government contractor may be very limited in what they can communicate. The key is working to quickly determine audiences, options and the most effective approach.
We recently worked with a government contractor that experienced a breach on one of its applications. Their client was especially concerned because their director was receiving criticism from another government entity that was also informing legislators and other influencers about the incident. We quickly organized communication strategy, messaging and channels to provide appropriate context regarding the nature of the breach along with response and remediation efforts. This communication helped to dispel fears and rumors regarding the incident, demonstrated the responsiveness of the organization and positioned it as being well prepared and trustworthy. In the end, the contractor was successful in maintaining its business and relationship with the government entity.
Employ the Right Tone and Message: Use discretion in employing or regurgitating data breach messaging, forms, templates and language, which often are provided by legal counsel. These tend to be formulaic, impersonal and overly legal in content and tone.
In recently managing a social engineering case, we collaborated closely with a law firm specializing in cybersecurity to draft and revise copy to be more appropriate and colloquial while staying within legal perimeters to help avoid a class action lawsuit. This resulted in a better than expected response from the impacted parties and a situation that fortunately did not spread to social or traditional media.Finally, be consistent and stay the course. A breach can be a very trying experience and it’s important to keep in mind that often it’s not the incident itself, but rather the way in you which respond that will leave a lasting impression.
Chris Thomas is president of Intrepid, a Salt Lake City-based public relations agency that has managed more than 100 crises, including data breaches, social engineering and social
media controversies. For more information, visit intrepidagency.com.