4 communication mistakes to avoid during a data breach
Don’t fall prey to these errors.
Maria Stagliano is a director at Leidar.
Experiencing a cybersecurity incident is no longer an if, but a when. Whether you’re on the consumer end receiving the letter about your exposed data or a Fortune 500 company being ransomed for millions of dollars, data breaches have become a familiar event in our lives. According to Forbes, in 2023 alone there were 343,338,964 victims of cyberattacks.
In our experience working with hundreds of companies experiencing cyber incidents, we have found that organizations are increasingly prepared for contingencies and business continuity – but underprepared for any potential reputational fallout.
As the saying goes, “failure to prepare is preparing to fail.” We’ve seen evidence of this during cyber incidents, when the legal, IT and operations have a remediation plan, but the communications teams have not fully gamed out the possible implications in advance and misstep as a result. Following are some of the most common errors we’ve seen during cyber incidents.
Self-inflicted wounds on social media
Though seemingly harmless at a glance, overlooking a scheduled social media post can be embarrassingly mistimed during a full-blown cyberattack.
In the midst of halted operations, inoperable websites and delayed services, consumers scrolling across a cheery “Cybersecurity awareness!” post or a call to action to “Try our digital services!” can make a brand look disorganized during a crisis. This oversight can quickly snowball into an online social media storm of screenshots, comments and shares that reduce consumers’ overall confidence in a brand.
What to do: While many response plans call for tightly controlling details within a small core team, the communications team needs to have an awareness about the incident in order to properly vet upcoming content, and temporarily shut down scheduled posts that are not related to the event. Reading social media teams into a situation with enough detail to avoid self-inflicting wounds helps ensure that there will be one less issue down the line for companies to worry about.
Overcommunicating without all the facts
During a crisis, executives tend to feel a heightened and urgent pressure to say something to their stakeholders. Further, communications teams who are used to being able to share information with the public may feel an overzealous desire to publish a press release and media statement about the incident as quickly as possible. This is almost always the wrong strategy.
You only have one chance to get the facts right and get your story on record, or risk being consumed dealing with misinformation — not to mention potential legal liability. Without a conclusive forensic investigation, anything can happen and nothing – nothing – is ruled out. You may feel confident that data exfiltration hasn’t occurred initially, but in a week discover that hundreds of thousands of files were exfiltrated and personally identifiable customer information was accessed.
What to do: Prioritize internal collaboration and agree on what can – and cannot – be said before any external communication begins. Teams need to be on the same page about the facts, understand who can or can’t speak externally, and fully process the limitations of what can be said. Establishing clear talking points, FAQs and phone call scripts to guide conversations will reduce the chances of having to make corrective statements later.
Forgetting to be empathetic
Understanding the impact of exposed data can be highly emotional for consumers. Certain types of exposed data — private health information, photos of minors, or police reports of sexual assault crimes, for example — tend to spin up emotions among the potential victims. All personal data can be weaponized, and there are plenty of examples of individual harm.
It’s easy to fall into a boilerplate message strategy, especially if there are legal liability concerns. But it is important for communicators to put themselves in the shoes of the victims and reflect empathy and understanding for what they are experiencing.
What to do: Avoiding detached, corporate-speak responses and instead opt for meaningful communications for select groups. Since many larger data breaches are managed via call center scripts, the written communications strategy for these groups must be thoughtfully integrated into mass messaging with clear escalation protocols in place for those who raise personal concerns.
While it is tempting in a cyber incident to see consumers as data sets, an empathetic approach can preserve trust and maintain positive relationships with customers.
Treating employees like customers
Whether burdened with technical disruptions, phone calls from frustrated customers, or a fear of their own data being exposed, employees are just as affected by a cyber incident as customers. While it is important to have consistent messaging to explain what’s happening, employees will expect to be read in and not given a scripted, standardized response. Management must address employees and other internal audiences with a different mindset and tone.
What to do: Addressing employee frustration in a breach requires management to clearly define the situation and express the limitations of what can be shared in real time. If in the middle of an investigation there are limited answers, acknowledge the frustration employees feel. Acknowledge that they may be part of the data set affected by the incident. Acknowledge that their job may be made more difficult by managing frustrated customers and having to conduct certain tasks manually.
An all-hands meeting to discuss the incident at a high level is a great method to reduce anxiety among staff and make sure everyone is on the same page. This is also an opportunity to ensure employees are reminded of the company’s media inquiry protocol – which should mitigate chances of someone accidentally sharing unauthorized information with a reporter.
At their best, data breaches are a minor annoyance to the consumer. At their worst, data breaches can cause irreparable reputational, financial and operational damage to a brand — especially when mismanaged. By avoiding common pitfalls during a data breach, organizations can protect brand confidence and maximize public trust.