Do You Really Have a Breach Communication Plan?

If your company doesn’t have a crisis communication function, and doesn’t have a breach readiness plan, in the event of a public security incident it’s highly likely marketing will be the one everyone looks at when the CEO says ‘now what do we do?’

How do we manage the media? What do we tell customers, analysts, investors? Who are the spokespeople and are they trained and credible? Twitter is on fire. Legal is telling everyone not to say anything and your iPhone is ringing like it’s your birthday. Maybe you just started at this company as their CMO and while you were busy implementing the new modern marketing engine, trying to recruit top talent, and rebranding the company, did you remember to put together a crisis communications plan?

There is nothing worse for a company than to be trying to figure out how to communicate and manage the communication about a data breach as it is happening.

Preparing for and managing a breach must be part of a company’s overall security strategy, and part of our marketing plans like a life insurance policy you hope to never have to use. What’s important is that there is a breach response plan and in that plan there is a communication component. First, know your disclosure policy, (well first, do you have one, and do people understand it), build for the worst case scenario and then work backwards from there. It’s important for the entire executive team to understand what gets disclosed to whom, what constitutes or gates disclosures, how it is communicated, who communicates it, who are the spokespeople for which aspects of the communication, how are customers contacted, and what the internal messages are.

According to a recent Ponemon Institute study, consumers expect cash compensation after a breach and data breaches are in the top 3 of incidents that affect reputation.

Also, reputation harm can be caused by compromises that aren’t actually real. Here’s a hypothetical scenario (similar to something I’ve witnessed but genericized to protect everyone). A hot new IPO creates the latest gadget; and they are going into the Christmas season. At the same time a hacker goes into a forum and brags that the device can be hacked to a closed group. Someone else posts on a different forum and a newspaper picks it up and a news cycle begins. The company, who doesn’t have a Chief Security Officer or a sophisticated security program, denies it can be hacked and gives some technical reasons why it's safe - which hackers love to take as challenges. Hacker forums go nuts and hackers try to compromise the device, with some claiming success. The mainstream media doesn’t know the technical hairs being split on whether it’s a hack or not. Legal advises that no one says anything so rumors aren’t managed. Customer service gets flooded with calls; stock goes down, sales stall…all during the holiday season and closing out Q4…and there may have never actually been an intrusion.

This kind of story is why EVERY company should think through breach scenarios and at least create a communication plan. News cycles don’t wait for investigation and fact finding, so have a game plan.