Post-Breach: What to Say
Steps to Take When Disclosing Details of a Data BreachAfter a data breach, it's important for organizations to have a full grasp on what happened and convey that message consistently with the audience. Too often, that's not the case, says attorney Ronald Raether. So, what steps should organizations take in their breach notification strategy?
See Also: Your Complete Guide to Healthcare Managed Defense
First, define the goals of an organization's breach communications, says Raether, who advises clients that have experienced data breaches.
"In data breach response instances, I believe that the goal really ought to be to satisfy the audience, to provide sufficient information," he says, so that the company's reputation is maintained and that any litigation or government investigation can be mitigated or prevented.
In order to communicate information correctly, it's important to gather all the facts and understand the breach inside and out. "It's especially important to understand and identify who's affected because in turn you're going to develop your messaging around who those individuals are that need to be communicated with and satisfied," Raether says in an interview with Information Security Media Group's Howard Anderson [transcript below].
Next, ensure the message decided upon is correct and consistent, so that no corrections need to be issued and credibility isn't undermined with the audience, Raether says.
Lastly, identify the best means of communication, Raether urges. "The Internet and social media now are of greater importance, in my opinion, than traditional print and television," he says. In preparing the communication, ensure that a proper point person is chosen to speak with the audience, i.e. the customer, investors or the government. "Make sure that they all understand what has happened and have the messaging that you've developed," so that everyone's on the same page, Raether notes.
In the interview, Raether:
- Comments on lessons learned from the communications in the wake of the Sony PlayStation, Hannaford grocery store chain and Global Payments Inc. breaches;
- Emphasizes the importance of creating a call center to field inquiries from consumers;
- Encourages organizations to consider reaching out to regulators, such as state attorneys general, before issuing a breach notice to keep them well-informed and request their review of the notice;
- Discusses how to determine when it makes sense to hire a breach resolution or public relations firm to help with post-breach communications.
Raether is a partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes. He has been involved in cases addressing compliance with statutes that regulate the use and disclosure of personal information and laws that concern the adequacy of securing against unauthorized access to personal information. Raether has successfully defended companies in more than 25 class actions.
Post-Breach Communication Strategy
HOWARD ANDERSON: How a company communicates in the wake of a major breach incident can play a major role in maintaining the organization's reputation and minimizing the financial impact of a breach. I would like to go over some of the dos and don'ts for post-breach public relations efforts based on your experience in advising clients that have experienced breaches. So let's start with the dos. What are the essential components of a successful post-breach communication strategy?
RONALD RAETHER: The first place to start is with defining the goals. Traditionally in media management, the goal has been to control the message, to control what happens in print media and now television. In data breach response instances, I believe that the goal really ought to be to satisfy the audience, to provide sufficient information so that number one, the reputation of the company is maintained and then number two, to mitigate or prevent any litigation or government investigation that could harm the business operations of the company.
Keeping that goal in mind, the place to always begin is to collect the facts and understand the breach. It's especially important to understand and identify who all is affected because in turn you're going to develop your messaging around who those individuals are that need to be communicated with and satisfied. It's important to identify all the relevant audiences, both internal and external, which can include government agencies as well as the consumers that need to be notified and the employees that interact with them.
It's important to decide on a message, to be consistent with that message and most importantly to make certain that you have a complete and thorough understanding of the facts so that you subsequently don't have to correct a misstatement or provide inconsistent information that can undermine the credibility you're trying to develop with the intended audience.
It's also important to identify the best means of communication. That can vary depending on the audience. In cases I've been involved in, we've used everything from e-mails and letters to actually picking up the phone and calling who we expected to be influencers within the affected consumer community. But make sure to pick the best means of communication for the group that you're dealing with, which can include social media. It's important not to forget about social media as we have a tendency to traditionally focus on print media and television. The Internet and social media now are of greater importance in my opinion than traditional print and television. Make sure that everyone who may have contact with the audience, i.e. either the consumer or the government, investors, whomever that audience is that's likely to raise questions about the breach, make sure that they all understand what has happened and have the messaging that you've developed, whether it be in bullets or frequently asked questions, that they have access to that or know someone within the company to refer the inquiry to so that it's responded to quickly.
Mistakes in Breach Communication
ANDERSON: What are the don'ts to avoid? What mistakes do many companies make when communicating after a major breach, do you think?
RAETHER: The biggest ones are not being proactive, number one, and then number two not having a full grasp of the facts regarding the breach before they begin making communications with the intended audience. It's important to develop credibility with the audience, to reassure them that the company has a grasp of what happened and has implemented processes and procedures to control and mitigate against any further harm, and inconsistencies in the message obviously undermine that. It's also important to have a message that doesn't generate a belief on behalf of the audience that you're trying to hide the ball to provide them incomplete truths. I found that providing limited legalistic or formulaic responses actually undermine and inhibit the accomplishment of the goals that I mentioned earlier.
So it's important to be as complete as possible. There's obviously some restrictions in terms of how much you can tell the general audience, even consumers, about how the breach occurred or more importantly what steps the company's taking to prevent future breaches, because that detail can in and of itself inhibit the security of the company, but providing as much information as possible is important.
It's also important to provide a process that doesn't frustrate the consumer. So just providing a website or a letter without some ability for the consumer to speak to a live person, I found that's ineffective. It's good to have a call center, some individual who's ready to talk with the consumer live and directly, and ignoring certain audiences; in other words, focusing on what the company may think is important, for example print media or TV media and ignoring bloggers, social media, privacy advocates. That can turn around and backfire on the company if they don't pay attention to all the audiences that are going to be interested in the breach.
Determining Timing
ANDERSON: What insights can you provide on how to determine the best timing of a press or investor briefing, a press release, or other communication efforts, and who should be the face of the organization in any formal communications?
RAETHER: Timing can be pretty tricky. The intent is to help satisfy the audience, provide them the information without creating a story or creating a media buzz. Timing really depends on the type of case, the audience at issue, and a high publicity breach you may want to reach out to someone in the local media, whether it be a newspaper reporter in the hometown of the company or somebody who's active in the blogosphere on this particular issue and give them a heads up even before you send the notice out. Of course, after you send the notice out, you're going to want to have an individual ready that's going to be able to handle any inquiries from the press, deal with the investor questions and the like. I've also in the past reached out to regulators, attorney generals before the notice letter went out, not only to give them a heads up as to what was going on, but also in some instances have them review the notice letter and bless it before it goes to the consumers.
In terms of the face of the company, the normal premise is to have a single face. That doesn't always work depending on the complexity of the situation, given the potential for publicity and the various media that might be involved that also effects the decision. What I've found is that whoever the spokesperson [is] - it could be that you have one for consumers affected by the breach; you have another for the media; you have another for government regulators, and even another for investors that could be the same person or that could be multiple people - the common traits you want in that individual or individuals is that they're trusted by the audience, that they have some experience in speaking and interacting with that audience and that they also have the skills to handle difficult questions. Now how experienced they are with the expected medium of course will be important as well.
Using Third-Party Firms
ANDERSON: Should companies generally partner with a breach solution firm or a public relations firm to help them with their post-breach communication following a large breach? What do you think?
RAETHER: I think it both depends on the circumstances as well as the knowledge and experience of people who work within the company. For example, a company that's used to doing direct mailing may not necessarily need to hire a third party to do the mailing. Likewise, a company that has a well-established public relations department, government affairs department, investor affairs department may not need to hire a third party. However, I have found that even with companies that have a well-developed group of individuals in each of those disciplines, it may still be necessary to hire a third party simply because of bandwidth issues. In other words, those individuals have their day-to-day job. When you add the level of work that's required for responding to a breach, it often surpasses what they're capable of doing individually, so bringing in a third party helps provide needed resources.
Of course, if the company doesn't have people with experience in those disciplines, then it's essential to bring in third parties who can not only bring in their level of knowledge and experience in handling each of these communications, but also have developed relationships with individuals, for example in the AG's office or at the local newspaper or the national newspaper, to help influence and control the messaging.
In my experience, it's been about 50/50 in terms of when we hire third parties to help with communication issues, and of course another influencer in that is the likelihood that the breach is going to gain some type of media interest.
Lessons Learned
ANDERSON: Finally, what else can we learn from recent post-breach communications efforts of companies in the financial services and healthcare sectors, as well as other sectors?
RAETHER: I think there's a number of interesting breaches that have happened lately that sort of spell out some of the points that I've made earlier. The Sony PS3 announcement, for example; initially - in April of 2011 - they announced that there were 75 million people affected. They then later had to announce that another 25 million were affected. It would have helped I think, in their communications with the media, if they had let everyone know that the investigation was still ongoing. Likewise with Hannaford - that has been a while back but in that case, they used a single letter to notify the consumers and in their media statements suggested that it was a single event. Hannaford you may know was involved in a lawsuit where the first circuit court of appeals found standing because there were about 700 or 800 consumers that had actually been victimized so Hannaford had split that communication program into two separate groups. In other words, sending one form of notice to the 800 and a different form of notice to the other 4 million, they could have mitigated some of their exposure and the subsequent litigation.
The most recent example involves Global Payments, which announced that there was a breach. They did some good things. For example, they put together what I think was a pretty good website that provided information to both affected consumers and investors. The one thing on the website that's not clear to me is how often it has been updated and I also can't tell how affective it's been in preventing its customers, i.e. merchants, from no longer using its services. But even with Global Payments, the information that was provided by Global Payments was inconsistent with the information provided to the public by Visa and I think that inconsistency in the messaging hurt Global Payments both in the media and in the public eye.