[BreachExchange] The top ten data breach communication errors

[Audrey McNeil]

http://www.continuitycentral.com/index.php/news/business-
continuity-news/1656-the-top-ten-data-breach-communication-errors

Data breaches continue to make headlines around the world. Many companies
think they are fully prepared to communicate in the wake of a breach. But
are they? Is having a basic crisis communications plan enough? Granted,
something is better than nothing, but being ready to communicate during a
data breach crisis requires much more preparation than a basic crisis plan
and some generic messaging.

Communication errors can occur during any of the three stages of data
breach communications (Ready, Response and Reassure), and errors often
generate the cascade of negative effects that can arise in the wake of a
breach. Understanding and preventing these top ten common errors can help
stricken companies avoid adding insult to injury when a crisis strikes.

The top 10 errors are:

1. No formal data breach communications plan: as soon as the alarm is
raised and the company realizes it has been breached, time becomes a
critical asset. The company needs to notify all relevant stakeholders
–authorities, partners, customers, any and all entities compromised – as
quickly as possible.

With confusion and panic likely, managers should not have to waste valuable
time and energy tweaking a generic crisis communications management plan. A
formal, scenario-specific data breach plan provides the crisis
communications team with the ability to think with clear heads, make good
decisions, and communicate with laser-like accuracy.
Scenario-specific plans facilitate precise communications and messaging.
Moreover, they increase stakeholders’ faith in the integrity and competence
of the company, reducing the potential for the company to be perceived as
not knowing what is going on, and mitigating the ever-present risk of both
media and clients speculating whether the company can actually manage the
crisis.

2. No designated crisis communications team, spokesperson, and key decision
maker: the crisis communications team is a key element of successful crisis
communications planning. The designated team will be directly involved in
and responsible for crisis management and communication during the
lifecycle of the data breach. When the crisis communications management
team does not have roles and responsibilities assigned before a breach
occurs, there is a higher likelihood of confusion, unnecessary error, and
wasteful duplication of effort.

The chief spokesperson, ideally the CEO, plays a pivotal role in managing a
crisis. He or she is the face of the communications process for the
duration of the crisis. Other senior executives can play a valuable role by
explaining key aspects of the crisis. For example, a CEO may not have the
specific expertise of the CIO, who could explain the technical aspects of
the breach in more detail if needed.

Designating the CEO as a spokesperson also indicates that the issue is
being taken seriously, making stakeholders feel like efficient remediation
is a priority for the company, and that the breach is not being downplayed
to save face. Having a single decision maker responsible for analyzing
issues and making confident and accurate decisions is crucial to a
successful recovery. The ship in crisis needs a captain who can make tough
decisions and be respected regardless of the decisions made.

3. Neglecting to test the plan: a plan is of little value if it is not put
into action, tested, and exercised. How can a company have confidence in
their data breach communications plan if they have not experienced how it
works, or do not know if it will work optimally?

A fully-fledged tabletop exercise involves all key internal teams – crisis
communications, IT/cyber response, business continuity, customer relations,
executive management, call center, legal, HR, etc. All external partners
and service providers should be invited and included, such as PR
consultants, business continuity and cyber security vendors, lawyers, and
insurance providers, among others.

The plan should be worked through until all kinks are smoothed out and
errors identified and addressed. Then the updated plan should be sent to
all plan holders to be kept in hard and soft copy, with the next tabletop
exercise date scheduled.

4. Insufficient technical communication infrastructure: when a breach is
discovered, companies need to focus on immediate needs, and not be
distracted by having to set up toll free numbers, test lines, call volumes,
etc. The specific type of technical infrastructure required depends on the
type of company and the nature of the business. This essential planning and
infrastructure investment should occur prior to a crisis and include
template-based scripting that can be updated based on the specific breach
scenario.

It all depends on what a company prefers. Some companies may already have
call centers and opt to use their own existing numbers. Some may designate
one call center number for day-to-day complaints and queries and another
for breach-specific queries. Some companies may outsource their entire
call-center management for the breach to third party companies who
specialize in these situations. A variety of arrangements can be
beneficial, depending on the specific needs of the company—the key is that
they be made in advance.

5. Inaccurate information and communication: misstatements and
misinformation generate confusion and a loss of faith in the company.
Providing accurate information and communication is critical, but this
tricky area comes with some challenges. The company needs to communicate
quickly and accurately to retain communications control. However, accurate
information is not always immediately available.

The cyber response team needs time to conduct a preplanned ‘forensic
investigation’ to discover what happened and how it happened so data can be
recovered, its integrity determined, and the areas of penetration
identified and mitigated, repaired, and/or closed. It can be just as
damaging to a company’s reputation to communicate too soon as too late,
when the facts are not available and word gets out ahead of formal
communication.

Similarly, a company that frequently and unpredictably changes information
and messaging can be perceived as ‘chasing its tail’. All core teams, such
as cybersecurity and legal teams, must know how to gather appropriate
information and brief the crisis communications team. Sound planning
involves creating proactive uniform protocols and plans so that
communications can be disseminated in unison across all relevant channels
via appropriate conduits.

6. Lackluster communication: how a company communicates is just as
important as what it says. The tone of communication, including ‘soft’
factors such as empathy, respect, and integrity, will go a long way in
retaining brand trust and creating a solid platform for the next phase of
communications. Clear communicators never shy away from acknowledging
mistakes and apologizing. Some spokespeople may hesitate to apologize due
to doubts about liability and responsibility issues; if this is the case,
legal advice should be sought so that spokespeople can apologize without
hedging, which can damage reputation.

Furthermore, effective communication is a two-way street. Companies cannot
simply push out a message and think the job is done. They need to give all
recipients a conduit for asking questions and seeking reassurance.
Journalists need easy, friendly access to the company spokesperson, vendors
need to know they can speak to their senior business contacts, and
customers need a telephone number to call so they can speak with a real
live person, not simply listen to prerecorded messaging.

For customers and the uninitiated, being the victim of identity theft or
losing money as a result of a breach can be traumatic. Customers need
reassurance that their interests are safeguarded. Companies should also
consider providing specialized training for call center staff and frontline
employees to deal with angry or upset customers.

7. Poor timing: one of the most important communication issues is timing —
errors can be made by communicating too soon or too late. Data breaches,
like most crises, are fluid. Situations change. Predetermined strategies
often need to be updated as events unfold. Astute leaders know the value of
proper timing. This is why it is highly important to have an actionable
communications plan that is ready to go along with a cyber response team
who knows how to brief the communications team. These teams need to know
what their roles and responsibilities are and have all the policies in
place so that when the time is right to disseminate the first press release
and letters to customers, they all contain the same accurate, well-worded
information.

The first set of press releases and communications and their accuracy sets
the communication tone and perception of a company for the duration of the
crisis. As we have seen, while rapid communication is critical so the
company does not lose control of the scenario in the event of a leak to the
media, rapid and informed communications wins the day.

8. Not being up-to-date on regulations: many companies think that if they
offer some form of rudimentary communication that they have complied with
the law. This is not always the case. Laws provides a set period of time in
which to communicate. Federal, state, and local regulations vary across the
country, and valuable time can be wasted briefing executives on law when
they need to be handling the breach. Currently all but three US states –
South Dakota, Alabama, and New Mexico – require breach notifications.

Each state has its own unique communication requirements, and companies can
be tripped up if their footprint extends to more than one state. For
example, a company could have offices in one state with complex
regulations, and one state with no regulations at all. It is prudent to be
up-to-date on communications requirements and be prepared to quickly comply
to pertinent laws and regulations when a breach strikes.

9. Poorly thought out policies and processes: one pressing question for a
company to address following a breach is, “What do we need to do to make
our customers feel more secure and know we have their best interests at
heart?” For example, should the company offer free credit monitoring? If
so, where will it come from, and how and when will the company deliver this
service? The company should have the relevant partner on board, ready to
deliver credit on short notice. Strong preparation ensures that following a
breach, the only task necessary is implementation.

These types of decisions need to be made before a breach so that in the
initial communications all relevant information can be provided clearly and
professionally, then reinforced and repeated as necessary in all subsequent
communication. Making these types of decisions in the heat of a crisis can
severely impact communication because the company will be perceived as
having no real plan of action in place to help its customer base deal with
the crisis. The inability to communicate effectively during this critical
time can impact perception, reputation, and even the bottom line.

10. Failure to monitor customer sentiment and the media: once communication
is proactively disseminated, how will a company know how the communication
was received? The company needs to monitor the social media universe, the
media, and, crucially, its call center.

Social media monitoring reveals what customers and others are thinking and
saying about the company and its communication and remediation efforts.
Gathering this information will shine a light on strategies that need to be
modified and help the team hone messaging and follow-up communications.

Monitoring the media at large provides similar but broader information; it
identifies journalists who need additional information and insights, and
helps the team target and correct inaccurate reporting. Finally, listening
and responding to customer complaints and issues received through a call
center will identify red flags and help identify potential secondary crises
which have a nasty habit of following the primary crisis.

Knowing what can go wrong can help a company avoid the all-too-common
errors that can exacerbate negative fallout from an initial data breach.
Effective proactive preparation includes avoiding these ten errors and
thinking, planning, testing, and training ahead.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170103/9f2f878f/attachment.html>