For many organizations, the prospect of a data breach is no longer if, but when. Barely a week goes by without reports that a business, government agency, or other institution, has had data – customer records, internal communications, and financial files – stolen or exposed.
If your organization does suffer a breach, here are three experience-tested communications tips to avoid unnecessary pitfalls, mitigate collateral damage, and get back to normal.
- Get your facts straight. Instead of rushing to comment, as some people in your organization may urge, devote your energy to getting the facts right. You don't want to have to issue updated or corrected statements that will only attract new attention.
Don't make a statement until you have clarity on the extent of the data breach, how it happened, and other information that may have been lost and/or could soon be exposed.
- Don't debate details with media. Data breach-related media coverage will, inevitably, contain details that are perceived by your organization to be incorrect, unfair, or distorted. Shake it off. Of course, if errors are glaring and outrageous – such as saying 500,000 email login credentials were compromised, instead of 5,000 – then seek to correct them, expeditiously. However, don't quibble over nuances as it will only invite additional analysis.
- Identify, engage, and enlist third-party supporters. Although it takes advance work, this can deliver high levels of value.
Third-party supporters should not be “shills” for a company. They are, instead, individuals who can provide context and can be a potentially calming influence on emerging coverage. In the case of a data theft, an effective third-party commentator might be an analyst who can make the point that even the strongest organizations and networks are not immune from hacks or data losses.
Most of all, don't wait for a crisis to happen before you start thinking about how your organization would respond.
Terry Banks is an SVP and partner with FleishmanHillard. He leads the firm's cyber security-focused communications practice.