Jeremiah McWilliamsYou may have heard the saying: “There are two types of companies. Those who have been hacked, and those about to be.” Now that we have experts reporting on “60 Minutes” that 97% of American businesses have been hacked, it’s clear to see that we live in a world where every major organization is vulnerable.

First, there should be clear protocols for reporting security breaches to top management. If a breach is detected, key decision-makers must get to the table – fast — for a no-nonsense “what do we know” session.

This team of executives should include senior decision-makers from legal, HR, communications, operations, security, IT and all other relevant departments. As the Federal Deposit Insurance Corp.’s Martin Gruenberg put it in a 2014 speech quoted by American Banker: “Cybersecurity is no longer just an issue for the IT department.”

Asking the tough questions

O'Dwyer's Jan. '15 PR Buyer's Guide/Crisis Communications MagazineMagazineThis article is featured in O'Dwyer's Jan. '15 PR Buyer's Guide & Crisis Communications Magazine

As the situation evolves, the team should ask the tough questions, get the facts and stay in constant contact with each other — and with the people addressing the problem on the front lines. The following should be addressed:

• Which records or data sets were compromised?

• What type of information is at risk?

• Should the company have been storing these records?

• Where and how were the records stored before the theft or breach?

• How many people may be affected by the data breach?

• Have we sealed the “door” in which hackers entered? Are there any other potential portals still open?

• Have relevant law enforcement agencies been notified? Are those agencies able to share any findings?

• If the suspects are employees or former employees of the client, what relevant information can be gleaned from their employment file? Were full and complete background checks done on them? Were there previous disciplinary problems or any previous indications of trouble?

• What steps were taken to secure the records or data before the breach? What is being done to secure remaining data?

Steps for success

And now, the race to save your client’s reputation begins. Below are a few key action points.

Understand if you are truly on the verge of a crisis situation. There is a difference between a reputational crisis and reputational challenge. The first step is to understand the situation and potential impact on the organization and its stakeholders, and the interest level the public and/or media are likely to have. Underreacting to a crisis or overreacting to a challenge can harm a company’s brand, possibly resulting in a fatal blow beyond repair.

Assemble your external support team as soon as possible. Ideally, you will have already established strategic relationships with outside entities — a crisis communications firm, forensic IT experts, credit monitoring services, insurers, and attorneys specializing in cybersecurity liability and law — before any cybersecurity breach or records theft. Lining up a trusted outside team in advance will help you respond quickly and allay concerns without losing time. You, as the PR point person, can play an important role in vetting these partners and setting up clear lines of communication before the crisis clock starts ticking.

Set up the response center, and take action to help. As soon as possible, you should offer credit monitoring and fraud protection to individuals affected by the data breach. This service should include a hotline run by a trusted credit-monitoring partner. (Note: State laws may vary, so the offers sent to affected individuals may need to be specifically tailored.)

As communications counsel, you should help craft the messages for call center responders and prepare them to answer a range of tough questions clearly — and with understanding, empathy and a clear action plan. Put yourself in the shoes of a person who has just been informed that their personal information has been lost or compromised. You would want clear assurances that the company is making things right.

Some of the calls will need the attention of senior management due to the severity of the problem or the intensity of the callers’ anger. Make sure a “hot file” for follow-up is updated and distributed to key decision-makers daily.

Remember your internal audience. Vigilantly communicate with employees so they can serve as ambassadors in the community if the company encounters a reputational crisis or challenge. Informed, engaged employees are powerful assets to help preserve the company’s credibility and reputation. Craft and share a clear internal protocol for your client that employees should follow if they are contacted by reporters, neighbors, customers or affected individuals. Provide talking points, Q&A and coaching as needed. Remind employees of the media protocols and ask them to direct all inquiries to the designated company spokesperson(s). This is not the time for employees to freestyle.

Monitor media coverage. Task a team to closely monitor any coverage in social or traditional media. Assemble an up-to-date media list for use when you share updates. If a reporter calls, respond promptly — at least to let them know you have received their inquiry and are working on their request. Silence can be deadly.

Through close monitoring of social media, you’ll know when people are saying something about the company that would require an immediate response. It also gives your client the opportunity to communicate directly with their customers in real time — a key part of being responsive and thoughtful.

Ideally, you should have a pre-approved message bank that can be used to respond to comments on social media. Don’t just use boilerplate over and over — empower your social media team to use their judgment, with oversight from senior executives. The sooner you use social media as a communications tool in a crisis, the more effective you’ll be navigating the maelstrom — even, as Inc. magazine’s Abigail Tracy writes, the tempest brought about by a Valentine’s Day storm.

Decide what to share, and when. It is possible your client’s cybersecurity problem will not morph into a news story, even after you communicate with affected individuals. But you should still have a plan for dealing with media attention. If your client opts not to preemptively let the media know about the problem, draft a brief holding statement about the situation and keep it on file for use if you receive inquiries from journalists.

Don’t stay silent when you should break the story. One of the most important judgment calls in this process is deciding when to proactively go public with the news. There are major risks in delaying. As contributor Davia Temin wrote about Target’s data breach crisis: “No matter how much it hurts, when you have a problem that affects your customers directly, do not wait to go public. You don’t need to have all the answers, but you do need to get ahead of (and own) the problem.”

If waiting to go public is detrimental, so is going public without much to offer. A real-life example: eWeek reported JPMorgan Chase waited a month to disclose its cyber-attack to the U.S. Securities and Exchange Commission. The public filing described what type of information was compromised. But, in its filing, the bank didn’t detail what steps were being taken to communicate with affected customers. The lack of detail left reporters and customers with more questions than answers.

Get out in front. This can demonstrate good faith and a commitment to finding a solution. It can also prevent rumors from spreading in a vacuum. Once the news is public, commit to communicating clearly and consistently. Do not minimize the problem, and do not make false assurances. The need to retract overly optimistic assurances can destroy your credibility. Be forthright with customers, employees, vendors, clients, the media and other key constituencies. Don’t be afraid to admit what you don’t know, but let them know you are working to find out.

If you take decisive and well-considered steps, a crisis can turn into opportunity in the long run — a chance to demonstrate character, brand values and genuine concern for those affected by the breach. As Stephen M.R. Covey wrote, “Nothing is as fast as the speed of trust.”

In a hyper-connected world, the right communications strategy — and the right attitude towards people jeopardized by security risks — can help protect and even strengthen that trust.

* * *

Jeremiah McWilliams is Senior Communications Strategist at Jackson Spalding.