Data breaches are occurring more frequently than ever before, even when organizations have the best security precautions in place. According to the Identity Theft Resource Center’s 2021 Data Breach Report, data breaches rose 68% from the previous year, reaching the highest number ever reported. That said, while a cyberattack may be out of an organization’s control, one thing it can and should control is how it communicates a breach.
Many corporations have developed canned responses to breaches along the lines of “We identified a breach of our systems, and you have been identified as being impacted. Your security is of the utmost importance to us, so we’re providing you with free monitoring.”
However, more sophisticated and impactful breaches need a more detailed response plan. One that focuses on getting systems back online and defines what steps the organization will take to prevent another breach from occurring. There are three key elements to implementing a successful data breach communication strategy; an incident response plan, consistent communication, and transparency.
Lean into the Incident Response Plan
An incident response plan is one of the most critical components of the customer notification process, as it enables an organization to acknowledge they’ve fallen victim to an attack, but also take ownership and focus on the customer.
Following a data breach, the customer ultimately wants to know three things: if their data has been stolen, the risk to the data at the time of the incident, and if they need to take additional action with the government or law enforcement to assist in the investigation.
The incident response plan should provide accurate and timely information that accounts for all these customer questions and keeps their best interests in mind. This plan must be communicated and adopted beyond security and IT teams by a crisis management team that extends across all departments. Every person in the communications chain must report their findings to the executive level for all angles and aspects of the breach to be considered.
An organization must also proactively work with legal and finance teams to understand which regulatory bodies, government entities, and insurance agencies to notify. Once all information is made clear, the organization can convey the details of the incident to the customer in a quick and straightforward manner, and, in high-profile situations, present the case to the public.
Maintain Open and Consistent Communication
The 2021 data breach report from IBM and the Ponemon Institute showcases that, on average, organizations identified breaches in 212 days and contained them within 75 days. As a result, organizations and their customers were left vulnerable for an extensive period of time. Time is of the essence, so an organization must execute on customer communications as early as possible. It should also ensure that it is the go-to source for any information regarding a breach at all times. As such, it may be beneficial to create a webpage dedicated to providing updates in real-time.
In terms of how information is communicated, an organization must give its affected customers a clear understanding of which data was lost and when the incident occurred. End users require as much information as possible to understand how this breach could impact their lives and businesses.
Some of the top questions to ask your team when communicating a data breach include: what happened and what do we know, what is the scope of the incident, how did we impact this, and how exactly can we help the customer?
In asking these questions, an organization can ensure they are fully prepared to communicate to the customer and openly address their concerns in a consistent manner.
One of the biggest challenges an organization faces when communicating a breach is moving too fast and responding without having gathered the right information or assessment of impact, which can change the narrative — something that is imperative to avoid.
A shift in narrative can cause the customer to have additional questions, which, in turn, delays action — potentially causing the public to believe an organization is hiding something. Additionally, delays in communication can cause substantial problems for the customer in recovering from the breach, which will put the blame back onto the organization for any liabilities.
It is the responsibility of the breached organization to provide accurate and timely information that accounts for customer questions and looks after their best interests while also adhering to internal and external legal advice to minimize liability.
If unable to share specific breach details, an organization should be transparent about the reason for not immediately releasing information publicly, i.e., if law enforcement is involved.
A data breach can happen to any organization, at any time — so an organization should also never assume or share with their customers that it won’t happen again… because it might. Instead, it should assure the affected customer that the incident is being properly contained and managed.
To best support customers, an organization should let its customers know that it is prioritizing security and taking the necessary steps to mitigate future potential breaches as well. This can include taking steps such as hiring third parties to conduct penetration testing on the affected network, cloud platform, application, etc., where the breach occurred, and report those steps to the customer to prevent vulnerabilities in the future.
In today’s threat environment, there’s no guarantee that an organization won’t face a breach, even with a solid cybersecurity program in place. It’s often a matter of when, not if. As such, you must be proactive about your crisis management policies and procedures. A robust data breach communications strategy that includes transparency and open and consistent communication allows organizations to focus on resolving the incident while providing the best customer service possible.