Denise DesChenesA company’s response to these attacks is critical. Like any crisis, there’s no one-size-fits-all approach, and companies must rely on experienced, trusted advisers to help them weigh a variety of factors and formulate a tailored communications strategy that’s right for them.

Data breaches can take a multitude of forms. Hacking, malware and physical attacks are still the most common; incidents of cyber theft can vary, from hackers stealing customer or employee email addresses and passwords, to cybercriminals accessing company financials. Unfortunately, attacks can also originate within an organization and may or may not be intentional, in cases of privilege abuse or the use of unapproved hardware, which is often the result of weak internal policies.

While employing the latest in data security technology remains a cornerstone for mitigating the risks associated with cyber-attacks, companies today must go above and beyond to protect themselves and their customers. Cyber criminals continue to outsmart even the most sophisticated security systems, and companies across all industries must arm themselves with contingency communications plans that can be put into play quickly in the event that a cyber-intruder strikes.

With so many variables to consider, it’s imperative that companies retain a tight circle of trusted, impartial advisers with experience handling the most complex cyber-crime situations. This circle may include data breach attorneys, data security consultants and crisis communications professionals. This team should have a framework in place that will enable an informed working group to move swiftly to assess the situation, contain the breach, limit the damage, and determine the most effective way to communicate with a company’s various stakeholders.

When responding to a breach, a comprehensive communications strategy is of the utmost importance. If communications are mishandled, those blunders can potentially be even more disastrous than the breach itself, and can have a lasting impact on both the public’s perception and the company’s bottom line.

While timeliness of a response is considered a hallmark of a sound crisis communications strategy, in a data breach situation the magnitude and nature of the cyber-attack may not immediately be evident, and a proper investigation may take some time. Accuracy of the information available and timeliness of the communications response can be an extremely delicate balancing act.

Upon learning of a breach, companies should immediately alert the appropriate authorities, while simultaneously investigating the breach and commencing the scenario planning process with their circle of advisers.

Key questions that management should ask at this junture include: “How many people are potentially impacted?” “What type of information is lost?” “Is there evidence of misuse of information?” “Has the unauthorized access been contained?” “Was the information lost by our company or by a third party?”

As facts are determined, companies and their advisers should begin to prepare for various scenarios following the breach. Anticipating key questions from all constituencies, including the media and general public, investors, regulators, and employees, will help drive the drafting of potential disclosures and communications documents that can later be finalized when the facts come to light. The scenario planning process should be fluid, with the key adviser team ready to move forward with a full communications plan on short order and poised to adjust response materials or strategies as needed. As part of the initial scenario planning process, a leak strategy addressing various scenarios should be prepared immediately, as the media may become aware of a breach and reveal it.

Disclosures and communications materials are dependent on many factors, including the impacted company and parties, the scope of the incident, the information stolen, and the industry climate, among numerous others. Disclosures must be as accurate and specific as possible and legally permissible; subsequent corrections are often interpreted as signs that a company is not effectively managing the situation.

A breach could trigger a public filing requirement and may warrant a press release, depending on the magnitude of the breach and the level of impact.

A company’s corporate website enables organizations to provide updates to its stakeholders regarding the breach and the investigation in real-time without issuing multiple press releases.

A social media strategy regarding the incident should be considered.

Work closely with law enforcement officials and apprise them of any communication plans; legal disclosure requirements vary by state and an ongoing, active investigation may limit how much the company can share about the nature of the breach.

A notification letter from the company’s management team can assure stakeholders that the incident is being taken seriously and the upper echelons of the company are directly involved in the management of the breach.

Consider setting up a call center via a third party to handle customer inquiries and ensure that call center staff are trained to manage appropriate responses.

When financial information or other critical pieces of personal information are involved, companies should consider offering impacted customers credit monitoring services.

In today’s digital world, sophisticated and determined cyber criminals are capable of attacking a wide range of data systems and computer networks, and we must increase vigilance in both our professional and personal lives. Cyber-intrusions may have become commonplace, but it is the management of stakeholder communications in the aftermath of these insidious attacks that will shape a company’s reputation for the long term.

* * *

Denise DesChenes is a Managing Director at Sard Verbinnen & Co.