A Crisis Communications Plan for Data Breaches
Oct 28, 2015
Data breaches are becoming more common with breaches this year in the healthcare, financial, and higher-education industries.
With a profusion of sensitive data, healthcare organizations are a prime target for data breaches, and 2015 has seen its fair share with major players like Anthem and Blue Cross among the violated.
Aside from working with your IT department to take measures to minimize your organization’s risk, you should be ready with a crisis communications plan specific to this type of situation.
Step 1: Get prepared.
Knowing how your organization will react to a data breach is essential and will expedite your response. Make sure you can answer the following questions to get the ball rolling.
- How will the public and stakeholders be informed?
- What other key steps need to take place immediately after the breach?
- Who are your contacts at relevant law enforcement agencies and credit monitoring services?
- How will legal concerns be balanced against reputational damage?
- Does it make sense to have a seasoned PR crisis communications consultant on retainer?
Step 2: Establish the facts.
If a data breach occurs, circle up your crisis communications team—top-level executives from legal, your public relations consultants, security, IT and any other relevant departments—and hold a meeting to establish what you know. Determine what data was compromised, who was affected, how they should be alerted, if the security hole has been patched, and what law enforcement agencies have been informed.
Step 3: Communicate immediately and directly.
Once you know what you know, you need to inform those affected quickly and directly. You will also need to make an official statement about the event on your website and potentially to the media. But first, get in touch with those who were impacted.
- Be honest and straightforward.
- Show remorse and articulate how seriously you are taking the situation.
- Explain how the breach will affect those impacted and what they can do.
- Answer any potential questions that you can.
- Focus on the relationship and how you can strengthen it.
A great example of a company that reacted well in a data breach crisis is Buffer. They got ahead of the story and sent this message directly to all customers before the breach was even public knowledge.
I wanted to get in touch to apologize for the awful experience we’ve caused many of you on your weekend. Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now.
Not everyone who has signed up for Buffer has been affected, but you may want to check on your accounts. We’re working hard to fix this problem right now and we’re expecting to have everything back to normal shortly.
The best steps for you to take right now and important information for you:
Remove any postings from your Facebook page or Twitter page that look like spam
Your Buffer passwords are not affected
No billing or payment information was affected or exposed
All Facebook posts sent via Buffer have been temporarily hidden and will reappear once we’ve resolved this situation
I am incredibly sorry this has happened and affected you and your company. We’re working around the clock right now to get this resolved and we’ll continue to post updates on Facebook and Twitter.
If you have any questions at all, please respond to this email. Understandably, a lot of people have emailed us, so we might take a short while to get back to everyone, but we will respond to every single email.
– Joel and the Buffer team
Step 4: Make your official statement.
Now that you have addressed the stakeholders impacted, you can make your official statement. Publish it to your homepage above the fold and direct people to a 24/7 number or email where they can get more information.
- Let people know what happened.
- Be honest and compassionate.
- Explain the consequences, what you have already done and what more you will do.
- Answer any questions you can.
- Provide contact information for media inquiries and for stakeholders looking for additional information.
Step 5: Monitor all social channels.
You should pin your official statement to all your social media profiles and respond to questions and negative statements as quickly as possible by arming your social team with information. Provide the team with a clear message to respond, where specific questions can be directed, a flow chart that tells them how and to whom to elevate certain issues.
Additionally, monitor all social media channels, review sites, forums and industry blogs, to gauge online sentiment and to know when you need to jump in to shape the narrative in a positive way.
Step 6: Follow up
Continue to communicate regularly throughout the crisis and provide updates whenever possible. Have a script prepared that answers standard questions even after the initial period. Don’t respond with “no comment.”
Use your social media channels to provide information as it becomes available and be sure to update your official statement.
The bottom line is to have a plan of action, communicate clearly and directly, and monitor online and traditional media. If your organization is without a crisis communications plan, we can help you put one together, so you are prepared should any type of crisis arise. Drop us line a line to set up a time to talk.
As a digital marketing strategist, Maribeth loves learning and writing about content marketing, social media, SEO, paid advertising, PR and mobile. She is obsessed with data-driven marketing and believes all online channels should be given a strategy, so engagement can be personalized and well targeted. In her free time, she likes watching science documentaries, hiking, skiing and traveling to far-flung places.