Data Breach Public Relations: Getting Ahead of the Message

Posted by Mark Greisiger

A Q&A with Melanie Thomas of INFORM
It’s just one of many pressing concerns during a cyber security event, but public relations and crisis communications are absolutely essential for sustaining customer loyalty and brand reputation long after the headlines fade. I spoke with Melanie Thomas of INFORM about how these services work and what companies can do right now to prepare for an emergency situation.

Why is crisis communications expertise vital in this age of inevitable data breaches and privacy violations?
This is a major problem affecting organizations in every business sector. We’ve all seen the examples on the news, and there are so many others that have flown under the radar, with both good and bad examples of how to manage a PR response. At the end of the day your brand and your reputation are at stake.

Who should be tasked with the response?
Having a crisis team that’s educated on data breaches and particularly the regulatory constraints involved is critical. There are federal agencies involved, as well as differing state regulations. A PR generalist is not going to have the exposure to the very specific process required by a data breach, and they’re not going to have the time or bandwidth in an emergency situation to learn what they need to know. In addition to a PR person who specializes in this area, the team should include a privacy attorney and a forensics specialist. When you have a breach you need a cool head—you need to know what you can and can’t say, you need to know the optimal timing. You don’t want to come out too quickly with a statement, but you also don’t want to wait too long. Every organization needs to appoint a spokesperson and crisis captains who lead their divisions—whether it’s human resources or IT.

The ultimate repercussions of that scenario might be damage to your brand, damage that could take a generation to recover.

Tell me more about that process. What might the timeline look like in terms of PR steps following a breach event?
It really depends on the company and where they are located, because as I mentioned, operating regulations are different in every state. What’s critical is that even when there’s the slightest sense there has been an incident the crisis captains come together. Ideally, there would already be a plan in place so that when the time comes, the crisis captains and spokesperson can meet with counsel to determine the best time the information should be released to the marketplace.

What might go wrong and what’s the worst case scenario?
What you never want to happen is for the information to be leaked before you can formulate a response. You never want to be playing catch-up. These days, it’s very hard to stay ahead of the message. A customer might notice what’s happened before anyone else does and go on social media to complain. That can lead to a snowball effect and the next thing you know CNBC is calling. But we’ve seen even worse things happen—if the government decides you didn’t handle the breach appropriately you can wind up in front of Congress. The ultimate repercussions of that scenario might be damage to your brand, damage that could take a generation to recover.

What can an organization do to prepare for a future cyber crisis event?
The first thing every company should do is review any existing crisis response program. If there is no plan to begin with, they can hire a firm that will come in and pull together critical stakeholders and experts within the team and help build one. Quite simply, you want to know what your vulnerabilities are, from hardware to human resources. Once you are aware you can plug those holes and anticipate what needs to be addressed. It’s not enough to have a plan in a drawer, though—the plan needs to be revisited and rehearsed every quarter and updated as technology and personnel change.

A breach event doesn’t have to be a catastrophe. If it’s handled properly, if the response is managed well, you can inspire even greater trust from your customers. I always point to the Tylenol crisis in the 1980s. That company took a devastating situation and came out of it with an even stronger brand. The same can be true for any company facing a data breach.

In summary…
We want to thank Melanie for reinforcing the importance of including a public/media relations expert on the company’s data breach crisis ‘tiger team’ to work in tandem with senior management and an outside Breach Coach® (counsel). A PR professional can thoughtfully and transparently outline a public response that’s appropriate to the scope of the data breach event. They can also help develop an action plan to deploy remedial measures, assist victims and prevent future events.