Data breach: developing a crisis response plan

Data breaches have become common in the retail, healthcare, financial, and e-commerce sectors, with large cases like T.J. Maxx and Pfizer gaining worldwide media attention.

Data breaches have become common in the retail, healthcare, financial, and e-commerce sectors, with large cases like T.J. Maxx and Pfizer gaining worldwide media attention. According to the Identity Theft Resource Center, there were 656 reported data breaches to date in 2008, a 47% increase over 2007. These breaches can have massive reputational consequences for the companies involved.

As PR pros, data breaches are one of the most difficult types of crises to manage. Companies must balance the needs of many internal and external stakeholders, yet the goals of each of these parties might conflict. Internally, legal, risk management, and privacy officers, as well as marketing and even security executives, must be involved. External stakeholders with their own agendas can include partners, customers, shareholders, vendors, and law enforcement. The involvement of so many departments can make it difficult for communications pros to respond to media, investors, and other stakeholders in a timely manner. However, advanced preparation and planning for a breach incident is one key to successfully navigating a breach, and mitigating reputational damage. Here are some ways the PR team can prepare for a data breach:

1. Identify an incident response team. Assembling contacts from legal, IT, risk management, privacy, C-level executives, IR, and PR creates a smooth process. Make sure to assign each member of the team a primary responsibility and task, such as documentation or law enforcement notification.

2. Draft a data breach response plan. Create a list of vendors that can help execute a response, such as data forensic specialists, law enforcement, privacy specialists, and crisis communications pros. Prepare materials such as notification letters, press releases, and call center scripts and circulate them to the response team for preliminary approval.

3. Practice. Plan to meet with the incident response team once a quarter to review materials and make sure the lines of communication remain open. Brief meetings before a breach occurs are like added grease on the wheels of an organization, ensuring things run more smoothly when they need to, and that everyone builds trust and confidence in one another before the pressure is on.

In ICR's experience with breach response, it has found that the companies that fare the worst in the press are those that attempt to evade responsibility, or that act in a less-than transparent manner. Most likely, these companies are not acting out of malice, but are overwhelmed by the task of responding to a breach. Having a response team, plan, and partner relationships in place can help companies respond in a timely manner to a breach and mitigate the negative media surrounding the event.

Michael Fox is a senior managing director of ICR, a financial communications consulting firm. He heads the corporate communications team.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in

Would you like to post a comment?

Please Sign in or register.