Call us on 03450 21 21 51

PR: how a well-managed data breach can help limit the impact on your reputation
The SRM Blog

PR: how a well-managed data breach can help limit the impact on your reputation

Share this article

business continuity PR relations

We have all seen the headlines about data breaches. They make for uncomfortable reading. Even more uncomfortable, however, is the fact that it’s often through these sensational headlines that most customers learn that their data is no longer secure. We can have meticulous Incident Response plans in place but if we can’t communicate effectively with the press we leave the interpretation of facts in the hands of journalists and editors whose motivation is not to reassure but to create attention-grabbing headlines.

That’s because journalists and editors have a different agenda: they are in the news business. The same applies to bloggers and social media reporters. The higher the number of accounts compromised and the larger the amount of data at risk the more coverage it will get. If there are fines, these will be mentioned, as will any failings in steps being taken to help customers. It’s a nightmare scenario which sends a shiver through the hearts of board members everywhere.

Yet, well-handled, PR at this time need not spell disaster but can actually inspire confidence. So having a well-planned PR strategy in place should be an integral aspect of your Business Continuity Planning approach. That way, you will be prepared and will have a well-rehearsed plan of action in place not only to manage and mitigate the effects of a breach, but to minimise any reputational damage.

Professional input is always a wise investment. A good PR agency will certainly help to mitigate any potential damage and help you to manage the media when a crisis hits. Knowing your business prior to the actual crisis will help them to have the understanding to develop a detailed PR crisis plan. But you also need to have your ducks in a row. Having the right professional input in the planning stages is therefore key. A well-considered Business Continuity Management Plan will include a Business Continuity Plan, an Incident Response Plan and a Disaster Recovery Plan with every scenario considered.  

A well-constructed Incident Response plan will provide you with a step-by-step strategy to implement as a breach unfolds. This will include reporting the breach within the required 72 hour window as the process of investigating and plugging the breach is underway. While these steps are implemented behind closed doors and are largely between you and the Information Commissioner’s Office (ICO), it’s also important to focus on your external communications.

A report by Deloitte 2016 found that 33 per cent of customers felt more trusting when they were alerted by a company directly to inform them that a breach had taken place. If direct communication is possible it should therefore be a priority. At the same time, the organisation’s reputation will be under scrutiny by the wider public, including clients and customers. So when a journalist calls you will also need to have a PR plan in place. Holding statements can be prepared in advance for a range of eventualities. Nominated spokespeople can be media trained and fully briefed on what is expected of them. This will include a clear explanation of how customers are being helped, how they can access that help and what steps have been taken to mitigate any potential damage.

With careful preparation and professional guidance you can also avoid obvious mistakes. For example, online hubs which require sensitive customer data to gain access or pre-scheduled social media posts which continue to roll out in spite of the breach. But make no assumptions. Because although you can anticipate a crisis, until you put your plan to the test you will have no idea how well it will work. It is worth running test exercises, responding to a range of possible scenarios to see where the potential weaknesses are. This type of exercise can be simulated by experienced professionals as part of a full information security service.

Without naming names, it is possible to see examples of both good and bad crisis communications in the press. When a breach is badly mis-handled the consequent damage caused by negative press coverage can be easily seen. If there is any doubt about investing in robust Business Continuity Management Planning, then simply watch as these stories unravel.

As with all information security strategies, the key to successful PR around a data breach is not to be taken by surprise. If you anticipate a crisis rather than simply reacting to one you will have the advantage of developing your communication plan when you have time to think clearly and put forward your most considered and measured messaging. Addressing the technical side of remediation is vital and this is part of the Retained Forensics offering by SRM’s vastly experienced team.

To discuss the benefits to your organisation, or to talk about testing and improving your existing BCP plans, call +44 (0) 3450 21 21 51.

Or visit our website.

Follow us on Linkedin.

Or read our blog:

It’s not a Dark Art: how we demystify cyber security

Virtual CISO: too good to be true?

PCI DSS compliance is like a car maintenance: not just an annual event

Back to top