Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

What's the Best Way to Communicate After a Data Breach?

So you've had a data breach, and now you need to take the next step. Here's a guide for communicators dealing with security incidents from Ashley Sawatsky of Rootly.

Edge Editors, Dark Reading

December 21, 2023

4 Min Read
Citibank issued this notice to customers after their account information was lost, in a letter that included a new credit card number and a new card
Source: DPD ImageStock via Alamy Stock Photo

Question: How can organizations effectively communicate with users and external stakeholders in a security incident?

Ashley Sawatsky, Senior Incident Response Advocate, Rootly: No matter how well-prepared you are, experiencing a security breach is a massive challenge for organizations of any size. They are one of the most nuanced situations for communicators responsible for keeping those affected and the general public informed. These situations are often technically complex, emotionally charged, and deeply impactful to the public's trust in your brand. No matter what method you choose to share news — be it social media, your online newsroom, or elsewhere — these communications will be under an intense amount of scrutiny. Every word you choose counts. Based on my experience strategizing security communications for global tech companies, here are my tips for crafting expert communications during a security incident.

Bring in the Lawyers

Your legal counsel is a precious resource during highly sensitive security incidents. Before you start writing anything, consult with them on what can be communicated and any key considerations. Sending any draft messaging through your legal team helps you avoid major missteps that can lead to public scrutiny, regulatory issues, or litigation. Data privacy is heavily regulated and deeply complex — your obligations around disclosure vary by geography, type of data exposed, and more. This is certainly not an area you want to tackle without a legal expert.

Depending on the severity of the situation and the size of your company, you may want to seek additional counsel, such as specialized crisis management consultants who can coach your executive team through a communications strategy.

Get Ahead of It

You don't want people finding out their data was compromised from a press outlet, social media, or other source. Aside from the relevant stakeholders internally (and your board, if relevant), your first touchpoint should be those directly affected.

That said, as soon as those communications are out, they're likely to be shared. To maintain control around the narrative, prepare a press release to distribute immediately after you notify affected parties.

Provide Quick, Frequent Updates

As an incident unfolds, new information will be coming into light constantly. Instead of trying to capture all the details of an incident in a single communication, share brief and clear updates on key points. These updates could include reassuring points, such as:

  • We have directly notified all impacted parties and will continue to support them through any questions or concerns.

  • We have identified how the data was accessed and have taken action to re-secure the system.

  • We will be releasing a detailed report once our full and thorough investigation into this incident concludes.

The more information you include in an update, the more opportunity there is for statements to be taken out of context. Be mindful of information overload, which can be overwhelming for people who are worried about their personal information being compromised.

Don't Speculate

While it can be tempting to speculate about unconfirmed details of the incident, especially when there's significant public pressure for information, avoid doing so. Speculating can create confusion and force backtracking later on as you learn more. Speculating can look like:

  • We do not believe this data was accessed with malicious intent.

  • We anticipate a quick resolution to this matter.

When sharing updates, stick to what you have confirmed.

Beware of Sweeping Definitives

Can you really ensure a breach will never happen again? Choosing your words carefully is important when setting expectations and managing risk. Of course you want to reassure your customers, but making broadly definitive statements can come across as pandering — and opens you up to even more scrutiny if you don't live up to them. Instead, make statements you can back up with specific actions. Here's an example:

The security of our customers' data is our top priority, and we have taken this matter extremely seriously. Since discovering this issue, we have taken numerous measures to further safeguard our platform, including:

  • Contacting law enforcement as soon as the breach was detected.

  • Conducting a full and thorough security audit via a neutral third-party auditor.

And so on.

Don't Forget About Customer-Facing Teams

If you have a customer support team, you can count on them receiving inquiries in the event of a publicized security breach. Be clear on how you want them to handle these types of interactions. Should they redirect to a specific contact? Do you have a statement you can provide them with? They may come under pressure to reveal nonpublic information or manage heightened emotions from callers, so it's important to set them up to handle these difficult situations with confidence.

About the Expert

Ashley Sawatsky is an expert in incident management and communication, with a special focus on the SaaS world. As a founding member of Shopify's incident response program for nearly seven years, she led incident communications and processes. Currently, as senior incident response advocate at Rootly, she consults with tech giants, including Canva, Cisco, and Nvidia, on incident response strategies.

About the Author

Edge Editors

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights