Ted Kobus, co-leader of BakerHostetler’s Privacy and Data Protection team, advises on risk management, compliance, incident response strategies, and regulatory and class action defense. He has led more than 750 incident responses, is ranked in Chambers USA, and was named an MVP by Law360 for Privacy/Consumer Protection. He is currently representing Premera Blue Cross Blue Shield in incident response, law enforcement investigation, legislative inquiries, regulatory investigations, and the over 20 class action lawsuits filed to date.
Only five months into 2015, several high-profile data breaches have already affected nearly 100 million people, and this apparent data breach epidemic shows no signs of slowing down. As the fallout from these breaches continues to unfold, organizations not yet affected should take this opportunity to study these incidents and assess their own preparedness to deal with a similar event while they still can.
However, even the most rigorous breach preparations can be undercut by one crucial aspect of breach response: communication. When it comes to data breaches, perception is reality. Regardless of how diligent, thorough, or prepared an organization may be, the timing and manner in which the organization communicates a breach to the public and regulators shape how the incident is perceived more than any other aspect of breach response.
Here are 5 communication tips for surviving the data breach epidemic of 2015:
1. Don’t Go Public Until You Have All the Facts
When responding to a data breach, organizations must walk a fine line between prompt notification and accurate notification. Prompt notification is essential if affected individuals are to protect themselves. However, notifying individuals prior to gathering the information needed to assess and fully understand the incident creates the risk of providing inaccurate information. And inaccuracy can turn an already difficult situation into a nightmare.
In addition to creating a negative perception of an organization’s competency and honesty, an organization that disseminates incorrect information must spend significant time and resources to rectify the situation. These efforts may overshadow the positive aspects of the organization’s response, such as remediation efforts and corrective actions.
Taking time to collect all of the facts before going public is the best way to ensure that communications are accurate and complete, and doing so may even reveal that notification is unnecessary.
2. Avoid Sending Out Multiple Notices
When an individual receives a notice that their information has been compromised, they will likely (and understandably) be alarmed and concerned about the security of their identity. When an individual receives multiple notices regarding the same incident, they will likely (and understandably) be confused and irritated as well as alarmed and concerned about the security of their identity.
A follow-up notice rarely contains good news, and no matter how artfully the notice is written, the mere fact that multiple notices are required for a single incident naturally raises suspicion amongst recipients as well as regulators. Multiple notices also prolong the life of an incident in the public eye and increase the likelihood of inconsistency or contradiction in an organization’s messaging, intentional or otherwise. Sometimes multiple notices are unavoidable, but organizations should do everything they can to evade stirring up confusion and skepticism.
3. Make Sure Communications Are Clear, Thorough, Consistent, and Accurate
Welcome or not, data breaches put a spotlight on an organization’s ability to communicate with the public, which can be both a burden and an opportunity. Will the organization communicate clearly and confidently, or will it resort to legalese and ambiguity in an effort to protect itself? Will the organization be transparent and forthcoming, or will it withhold and obfuscate troubling facts? And, perhaps most importantly, will the organization make a mistake?
Notice letters, regulatory reports, press releases, call center scripting, and other communications may be part of a company’s response to a breach. Clear, confident, and thorough communications create the perception of competence, while consistency, accuracy, and transparency demonstrate diligence and help rebuild trust. By ensuring that all of these communications abide by these standards, an organization can seize the spotlight and turn a difficult situation into a triumph. However, like many aspects of breach response, a balanced approach is optimal.
Some of these communications are subject to content requirements under state and federal privacy laws. Organizations should stick to these requirements and keep things simple to avoid being perceived as disingenuous.4. Be Ready to Answer Who, What, When, Where, Why, and How—Not Just the Tough Questions
A data breach raises a multitude of questions that an organization must address, and some are harder to answer than others. Although organizations may be tempted to focus solely on the tough questions in an effort to avoid “gotcha” moments, the simple questions are much more common and should not be passed over. For example, if an organization spends too much time preparing to rebut difficult questions about an employee’s potential involvement in an incident and it fails to coordinate a consistent answer about the name of the facility where the incident occurred, its efforts to rebut the troubling fact become somewhat irrelevant. Ensuring consistency surrounding the basic facts of an incident is just as important as preparing for the hard questions and is a step that organizations can’t afford to ignore.5. Be Clear About What You Are Doing to Make it Right
Although an organization may naturally focus its communication strategy on explaining the details of what happened, this is only part of the story—and a relatively negative part of it. Communications should clearly define what the organization is doing to make things right.
There are two components at play here—efforts to remediate and mitigate harm, and corrective action. Remediation and mitigation efforts include steps like offering credit monitoring, setting up a toll free phone number for more information, and cooperating with law enforcement to further investigate the incident or retrieve compromised information. Corrective actions focus on what the organization is doing to prevent similar events from happening again, such as enhancing technical or physical safeguards, providing additional training, or revising policies and procedures.
Although detailing these efforts in a clear and concise manner can go a long way in reassuring a skeptical public, organizations must be careful not to overpromise and under deliver. It’s crucial to complete the steps communicated in their entirety. Failure to do so can have serious consequences in the aftermath of a data breach.
Communication can either be an organization’s secret weapon for combatting a data breach, or its Achilles’ heel. As organizations continue to confront data breaches, the importance of communication cannot be ignored.
To learn more about avoiding a data breach nightmare, watch the webinar on best practices to prepare, respond and recover from a breach.