Image Image Image Image Image Image Image Image Image

01 Aug


And the Winner of the Biggest Data Breach Gaffe is… Overlooking the Critical Role of Crisis Communications in Privacy Practice

August 1, 2014 | By |

Data breaches occur at such a clip today that Forbes now has a column listing the most notable data breach responses of the week.  It’s the online version of the Emmy nominations for privacy gaffes called the Forbes Data Breach Bulletin.  While Forbes might find such errors egregious and even humorous, those of us in the privacy and data security fields find little amusement in what oftentimes is a devastating incident.  All would agree that preventing a data breach is challenging.  At this point, I think we would also agree that how we in the business community react to a breach is very much in our control, and oftentimes insufficient.  In fact, what may be the most visible part of a data breach response is often the most underappreciated and, as a result, damaging:  the public relations response, or crisis communications protocol.  So, how does one minimize the destruction of a data breach crisis?  Here are five things NOT to do in a crisis communications response scenario, followed by my recommendations.  

  1. Don’t assume you are either immune from a breach or other crisis, or that you’re adequately prepared.  Worse still, don’t assume you’ll figure it out once it happens. 

    Do plan, and then rehearse, rehearse, rehearse your crisis response every quarter.   

    Ask yourself this question: when is the best time to invest in flood insurance?  Before, or after a flood?  The answer is it’s always best to invest in protections prior to the time you need them.  This is true of crisis communications planning as well.  However, poor planning and lack of regular rehearsal are probably the most common mistakes organizations make in their business operations. 

    There is a litany of crises that could befall your organization.  Some of them are obvious, such as a supply chain disruption, natural disaster, strike by your employees, or cyber attack.  Some are not as obvious, such as employee sabotage or theft, or a third-party breach.  It is estimated that in healthcare alone, medical ID thefts occurred 50 million times last year, which is up 100% over the previous year, according to the Ponemon Institute, as reported on CNBC.  Use of mobile technology to access confidential patient information by thieves has now become fairly commonplace, due to the rise of the bring your own device (BYOD) policy held by most companies.  Even more alarming is the fact that theft of patient records is sometimes the work of an employee looking to make easy money.  So, now that you likely recognize that your organization’s data protection program must be considered, it stands to reason that your crisis communications response should as well.

  2. Don’t avoid the press or delay notification too long.

    Do hire an expert in crisis communications who can help you formulate a crisis response plan prior to an incident.

    Your plan should be thorough and consider all pertinent areas of your business, including legal and regulatory, IT, breach notification, human resources, brand, and customer service.  Appoint crisis captains who have clearly defined roles and one spokesperson, preferably the CEO, who can make a holding statement in a timely manner, while forensics completes a thorough assessment of the situation.  Delaying breach notification until the last moment of the regulatory window gives the impression you’re avoiding the situation, don’t respect the impact on your customers, or you’re not being forthcoming. 

    Another frustrating response businesses make in crisis response is stonewalling.  Who among us doesn’t wince when we watch Morley Safer push his way through the door of a business to the shame of the CEO?  Avoiding the press simply lends to a sense of irresponsibility at best, or negligence at worst.  Avoidance will also fuel the proverbial fire.  The media feel compelled to pursue subjects they sense are hiding the truth, and consumers and regulators alike lose confidence and feel prone to act when they feel misled by an organization.  Respond in a timely matter, before the media comes calling, express regret for the incident, and commit to an investigation and resolution to the matter.

  3. Don’t give mixed messages or shift blame.

    Do provide clear, concise, and accurate information in a forthright, humble manner. Remember that in business, perception is reality. Control the situation.

    One of the most disheartening aspects of a breach to consumers and regulators alike is scapegoating and flip-flopping, both of which are the result of weak messaging and poor planning.  Like avoidance, inaccurate and inconsistent messages give the impression that a company is disorganized or, worse, avoiding responsibility.  An example of this can be found in the now legendary retail data breach that occurred late last year.  The company initially blamed a third-party vendor, then took responsibility, then blamed the vendor again.  While the vendor very well may be responsible for the breach, it simply doesn’t matter to the general public who’s to blame, and your stakeholders don’t ultimately care.  You will be held responsible and potentially liable for the poor actions of your vendor because you chose the vendor, mismanaged them, and ultimately failed to protect the data you collected from your consumers.  Consumers neither care about the vendor nor your explanation, regardless of how accurate it may be.  In the eyes of consumers and regulators, the buck stops with you.   

    Additionally, your choice of words in a crisis is critical.  In a recent state agency data breach where millions of citizens’ personal information was believed to be compromised, the agency – three times – described the incident only as a possible breach.   This is an example where notification fell short of conveying a difficult message in a confident manner.  Early notification to consumers with what appears to be a forthright presentation of the facts, as they are known at the time, is the best possible response.  Note the use of the word “possible.”  One simple word can convey much in legal terms, as well as in the court of public opinion.  Remember that words have power.  Chose them carefully with your crisis team, who have the expertise necessary to navigate what can be a legal, regulatory, technical, and public relations minefield.  Then rely on that team to help you test and rehearse your message delivery long before the crisis strikes.  And, please don’t forget to convey regret for the situation.  Regret and responsibility are two different things; one shows empathy and the other ownership.  You should of course express regret when your customers, clients and partners have been inconvenienced.  Responsibility is something your attorney can determine. 

    And it should go without saying that you never deliver devastating news through a third-party, the news media, or a wireless device, as was the case in the missing Malaysian Airlines crisis.  The personal touch is irreplaceable.  It allows you to effectively convey your message in a heartfelt manner without misunderstanding.

  4. Don’t face reporters, investors, or industry colleagues prior to media training.

    Do receive regular media training from a communications professional.

    This is another obvious point to consider.  I regularly hear that the C-suite has already been media trained.  My answer, however, is always the same:  you can never have too much training.  Media interviews are both awkward and unnatural, but they don’t have to be.  Interviews, like earnings calls or industry speeches, can become a completely natural experience through regular training.  The goal is to be unflinching in your delivery, no matter how devoid of new information your message may be at the moment.  In fact, you may not be aware of a situation nor have an adequate answer to a question, but through practice you will feel and appear comfortable in delivering a response that placates the interviewer.  There is no harm or shame in not knowing the most recent development.  That can be expected.  How you convey that to a seasoned journalist, analyst, or colleague is key to the perception that you are either in control or asleep at the wheel. And, consider hiring a professional firm to work with you.  PR generalists are good at many things but may not have consistent experience in the area of data breach and crisis communications.

  5. Don’t go it alone.

    Do have a crisis team, and give them a regular seat at the table.  Chose a firm expert in this area. And remember bigger is not necessarily better.

    At this year’s International Association of Privacy Professionals Global Privacy Summit (, there was barely a mention of the extensive role of crisis communications in breach notification beyond issuing a press release, which I find short-sided.  Communications is one of your most important, consistent voices to the marketplace.  As such, your communications lead should have a seat at the table for regular business planning meetings, not just during crisis planning.  And it goes without saying that corporate communications and your crisis communications specialist should be an integral part of your crisis team, along with your privacy lead, corporate counsel, C-Suite, IT, customer service manager, human resources director, brand manager, forensics expert, and insurance professional.  It may be a large team, but with proper planning, training, coordination and precise communication, your crisis response will be managed effectively before the crisis even occurs.

    And don’t forget:  plan and train, and plan and train, and plan and train some more.  When the inevitable crisis occurs, you won’t regret your thorough preparation.

    Next step: brand recovery after the crisis.  Corporate social responsibility, social engagement, and the media road show: today’s Town Hall.

    Melanie Dougherty Thomas is the Managing Director of Inform, a global integrated communications firm in Washington, D.C., San Francisco, and New York (  Melanie has over 20 years of experience in marketing and communications, from broadcast news to public policy, branding and public relations, representing leading organizations in both the public and private sectors.  Her experience transcends traditional communications, with expertise in strategy, media relations, crisis communications and integrating new media tools to leverage exposure.  Melanie has worked in the journalism field on Capitol Hill, in corporate America, and the agency sector, serving the needs of her clients.  She is known for her strong understanding of the news media, congressional and federal regulatory arenas, and the intersection of Wall Street and Main Street, which have proven invaluable to her clients.  Melanie regularly works with Fortune 500 CEOs, start-ups, government, advocacy, and association clients to develop and execute on strategic communications.  She can be reached at:

    Sign-up for the Inform newsletter where we present best practices advice and compelling interviews to guide your communications. Our next newsletter will include a discussion of brand recovery through public relations practices.

    Crisis Response Training Graphic