Breach Communication

Breach Communication

A Clark School study at the University of Maryland states that there is a cyber-attack once every 39 seconds and that 1 in 3 Americans will be effected by a cyber-attack this year.  Yes, these alarming statistics concern us all, it’s a sign of the times.  As a business leader, it is your job to plan for any number of events, and a cyber-breach is a likely one.

The first step is to understand and admit that you have information to protect. You need to understand that your company DOES have information that criminals (the press likes to use ‘hackers’) want.  Even if you don’t have healthcare information, credit cards, or social security numbers, you probably have customer lists, e-mail addresses, and business partners that can be exploited.  The of getting access to your data can be: stolen funds, access to partner systems, or even blackmail. If any of those things happen because of a breach in your systems, your customers will want to know what you are doing about it. Quick, efficient damage control is key. If you don’t have a plan, your reputation and trustworthiness could be irrevocably damaged.

Respond Quickly and Directly

We have all heard the phrase, ‘Get ahead of the story’.  Social Media insures that negative news will travel around the world at the blink of an eye. After a breach, you have a limited amount of time to respond.  The last thing you want is for your clients to be talking about something you don’t know about.  Of course, a knee-jerk response may not be helpful either if you don’t have a plan in place.  Think about what could happen and plan a response that would fit the type of breach.  It’s far better to have a template then to have nothing. If you don’t have a cyber-response plan, put one together now.

Customers are more likely to complain than praise and 90% of potential customers will research you before purchasing. So it’s important to address issues directly, both publicly and privately, to minimize the impact of a social media black-eye.  Not only will it cool off the individual but also show that the company responds to customers.

Find the Problem and Develop the Solution

Ok, you had a breach. Whether the breach was a result of human error, phishing, or a design flaw, there is something that needs to be addressed. Find it!  You don’t have much time to find what happened, often because customers will be demanding it.  Don’t just grasp at straws, figure it out.  If you don’t have resources in-house that can help, there are plenty of resources you can bring in.  Keep in mind that law enforcement can prove to be a resource for you as well.  It may be very helpful to know of similar attacks and how they were resolved. 

When to Go Public

If the breach isn’t already public, consider taking it public.  You may take a reputational hit in the beginning but with a breach every 39 seconds, you’re likely to be forgotten before very long.  Additionally, it is far worse to be found covering up a breach than to have made it public ASAP.

Keep in mind that there are notification rules in many states. You must, and probably should, notify all individuals that had information compromised. In California, a breach of information for over 500 Californians must be made public. New York has a similar provision for 5,000.   GDPR (in Europe) and CCPA (in California) also contain notification requirements, templates, and timelines.

Take this opportunity to market how your company will prevent this from happening again. Increased staff, technology, and even new procedures will help assure the customers (and public) that your company is on top of the situation.  Consider setting up an information line for phone and e-mail questions.

Now Move Forward

It's fine to celebrate success but it is more important to heed the lessons of failure. - Bill Gates

Security breaches are a risk to business but don’t need to be catastrophic. Every setback is also an opportunity for improvement and the better your company is to responding to a breach, the better it will look in the marketplace.  The fact is, if you survived the breach, the company is likely a lot stronger and equipped now; possibly more than the competition is. Using improvements and lessons learned in marketing is a great way to set your company apart from your competitors. 


Paul Bergman is vice president of Tracc Development, Inc., where he drives cybersecurity engagements for enterprise and government clients, such as Cisco Systems, Panasonic, US Navy, ROAM IT, and Kryptos Logic. LinkedIn


You may also enjoy my previous article:  Planning to just assume Cyber Risk? – Don’t forget recovery planning