Crisis Communications Planning for a Data Breach

网络安全专家同意，不可能防止data breachfrom ever impacting your company. Since the cyber threat landscape and emerging technologies are constantly evolving, businesses of any size or industry are vulnerable. One thing you do have control over is how well your公司准备并做出回应if a breach exposes your customers’ private data.

许多公司都有广义的危机通信计划，以防工厂或罢工发生大火。但是数据泄露是独一无二的，因为它们可以涉及私人和机密的客户数据，并受到时间敏感的州和联邦通知要求。NetDiligence总裁马克·格里西格（Mark Greisiger）表示，这要求采取专业的回应。

“Crisis communications companies are becoming a really crucial component in handling a data breach,” says Greisiger, noting that cyber insurance may cover retaining a public relations firm to manage post-breach communications. “It’s absolutely a second line of defense once a breach occurs, in terms of protecting your company’s brand and reputation.”

为意外准备

One of the keys to weathering a data breach is building a plan before you need it, according to Melanie Dougherty, a crisis PR professional at Inform, a global communications firm. She works with companies to get a handle on what others in their industry are doing to prepare for and respond to attacks. She helps develop messaging for specific scenarios and trains company spokespeople to respond on-camera.

Dougherty指出，对于刚刚被抢劫数据的公司来说，数据泄露有一个情感组成部分。Dougherty说：“这就是人们通常不会谈论的部分。”她补充说，媒体的关注可能是压倒性的。有一个计划和响应团队ahead of time can help take some of the emotion out of the situation so companies can respond effectively.

“A well-planned data breach response can convey that you are in control of the situation, concerned about your customers’ privacy and committed to tightening security procedures to help prevent future attacks,” says Tim Francis, Travelers Enterprise Cyber Lead.

Here are some key elements to consider:

• 一个ssemble the team.提前选择公司发言人。Dougherty说，理想情况下，它应该是公司的首席执行官或另一位高级领导人。培训备份，以防该人不可用，例如首席财务官。在摄像头上记录您的发言人，以查看与团队的消息如何降落。
• 了解法律。Companies are sometimes unaware that their public statements, including media appearances and communication with customers, may be admissible in court if a lawsuit is filed. Consulting with a privacy attorney can help guide language while also helping companies meet regulatory and fiduciary responsibilities.
• Notify customers.对于需要通知客户的违规行为，通信计划可以包括指南和建立呼叫中心的培训。培训可能包括响应呼叫的音调和消息，以及如何将任何常见问题解答脚本脚本。
• 在所有可用的频道进行通信。在社交媒体，您的公司网站和其他渠道上接触观众，以便您可以讲述自己的故事，而不是等待在媒体上讲述。请记住，消费者可能会发现技术术语和法律术语使人感到困惑，因此请尝试使用简单的语言来表达您正在采取的保护来保护它们。
• 记住员工通讯。与员工进行沟通，以便他们在媒体上听到有关此事之前就知道违规行为。“他们可以为您提供横幅，” Dougherty解释说。“您需要他们对您的公司有信心。”

一个data breachcan be a real test to a brand’s resiliency, but customers are increasingly aware that all companies are at risk. To the extent that you can, share what your company is doing to shore up privacy protections. Companies who meet the crisis head on may even be able to emerge stronger, with a closer connection to their customers.