What's the Best Way to Communicate After a Data Breach?

Question: How can organizations effectively communicate with users and external stakeholders in a security incident?

Ashley Sawatsky, Senior Incident Response Advocate, Rootly: No matter how well-prepared you are, experiencing a security breach is a massive challenge for organizations of any size. They are one of the most nuanced situations for communicators responsible for keeping those affected and the general public informed. These situations are often technically complex, emotionally charged, and deeply impactful to the public's trust in your brand. No matter what method you choose to share news — be it social media, your online newsroom, or elsewhere — these communications will be under an intense amount of scrutiny. Every word you choose counts. Based on my experience strategizing security communications for global tech companies, here are my tips for crafting expert communications during a security incident.

Bring in the Lawyers

Your legal counsel is a precious resource during highly sensitive security incidents. Before you start writing anything, consult with them on what can be communicated and any key considerations. Sending any draft messaging through your legal team helps you avoid major missteps that can lead to public scrutiny, regulatory issues, or litigation. Data privacy is heavily regulated and deeply complex — your obligations around disclosure vary by geography, type of data exposed, and more. This is certainly not an area you want to tackle without a legal expert.

Depending on the severity of the situation and the size of your company, you may want to seek additional counsel, such as specialized crisis management consultants who can coach your executive team through a communications strategy.

Get Ahead of It

You don't want people finding out their data was compromised from a press outlet, social media, or other source. Aside from the relevant stakeholders internally (and your board, if relevant), your first touchpoint should be those directly affected.

That said, as soon as those communications are out, they're likely to be shared. To maintain control around the narrative, prepare a press release to distribute immediately after you notify affected parties.

Provide Quick, Frequent Updates

As an incident unfolds, new information will be coming into light constantly. Instead of trying to capture all the details of an incident in a single communication, share brief and clear updates on key points. These updates could include reassuring points, such as:

The more information you include in an update, the more opportunity there is for statements to be taken out of context. Be mindful of information overload, which can be overwhelming for people who are worried about their personal information being compromised.

Don't Speculate

While it can be tempting to speculate about unconfirmed details of the incident, especially when there's significant public pressure for information, avoid doing so. Speculating can create confusion and force backtracking later on as you learn more. Speculating can look like:

When sharing updates, stick to what you have confirmed.

Beware of Sweeping Definitives

Can you really ensure a breach will never happen again? Choosing your words carefully is important when setting expectations and managing risk. Of course you want to reassure your customers, but making broadly definitive statements can come across as pandering — and opens you up to even more scrutiny if you don't live up to them. Instead, make statements you can back up with specific actions. Here's an example:

The security of our customers' data is our top priority, and we have taken this matter extremely seriously. Since discovering this issue, we have taken numerous measures to further safeguard our platform, including:

And so on.

Don't Forget About Customer-Facing Teams

If you have a customer support team, you can count on them receiving inquiries in the event of a publicized security breach. Be clear on how you want them to handle these types of interactions. Should they redirect to a specific contact? Do you have a statement you can provide them with? They may come under pressure to reveal nonpublic information or manage heightened emotions from callers, so it's important to set them up to handle these difficult situations with confidence.

About the Expert

Ashley Sawatsky is an expert in incident management and communication, with a special focus on the SaaS world. As a founding member of Shopify's incident response program for nearly seven years, she led incident communications and processes. Currently, as senior incident response advocate at Rootly, she consults with tech giants, including Canva, Cisco, and Nvidia, on incident response strategies.