Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
What's the Best Way to Communicate After a Data Breach?
So you've had a data breach, and now you need to take the next step. Here's a guide for communicators dealing with security incidents from Ashley Sawatsky of Rootly.
Question: How can organizations effectively communicate with users and external stakeholders in a security incident?
Ashley Sawatsky, Senior Incident Response Advocate, Rootly: No matter how well-prepared you are, experiencing a security breach is a massive challenge for organizations of any size. They are one of the most nuanced situations for communicators responsible for keeping those affected and the general public informed. These situations are often technically complex, emotionally charged, and deeply impactful to the public's trust in your brand. No matter what method you choose to share news — be it social media, your online newsroom, or elsewhere — these communications will be under an intense amount of scrutiny. Every word you choose counts. Based on my experience strategizing security communications for global tech companies, here are my tips for crafting expert communications during a security incident.
Bring in the Lawyers
Your legal counsel is a precious resource during highly sensitive security incidents. Before you start writing anything, consult with them on what can be communicated and any key considerations. Sending any draft messaging through your legal team helps you avoid major missteps that can lead to public scrutiny, regulatory issues, or litigation. Data privacy is heavily regulated and deeply complex — your obligations around disclosure vary by geography, type of data exposed, and more. This is certainly not an area you want to tackle without a legal expert.
Depending on the severity of the situation and the size of your company, you may want to seek additional counsel, such as specialized crisis management consultants who can coach your executive team through a communications strategy.
Get Ahead of It
You don't want people finding out their data was compromised from a press outlet, social media, or other source. Aside from the relevant stakeholders internally (and your board, if relevant), your first touchpoint should be those directly affected.
That said, as soon as those communications are out, they're likely to be shared. To maintain control around the narrative, prepare a press release to distribute immediately after you notify affected parties.
Provide Quick, Frequent Updates
As an incident unfolds, new information will be coming into light constantly. Instead of trying to capture all the details of an incident in a single communication, share brief and clear updates on key points. These updates could include reassuring points, such as:
We have directly notified all impacted parties and will continue to support them through any questions or concerns.
We have identified how the data was accessed and have taken action to re-secure the system.
We will be releasing a detailed report once our full and thorough investigation into this incident concludes.
The more information you include in an update, the more opportunity there is for statements to be taken out of context. Be mindful of information overload, which can be overwhelming for people who are worried about their personal information being compromised.
Don't Speculate
While it can be tempting to speculate about unconfirmed details of the incident, especially when there's significant public pressure for information, avoid doing so. Speculating can create confusion and force backtracking later on as you learn more. Speculating can look like:
We do not believe this data was accessed with malicious intent.
We anticipate a quick resolution to this matter.
When sharing updates, stick to what you have confirmed.
Beware of Sweeping Definitives
Can you really ensure a breach will never happen again? Choosing your words carefully is important when setting expectations and managing risk. Of course you want to reassure your customers, but making broadly definitive statements can come across as pandering — and opens you up to even more scrutiny if you don't live up to them. Instead, make statements you can back up with specific actions. Here's an example:
The security of our customers' data is our top priority, and we have taken this matter extremely seriously. Since discovering this issue, we have taken numerous measures to further safeguard our platform, including:
Contacting law enforcement as soon as the breach was detected.
Conducting a full and thorough security audit via a neutral third-party auditor.
And so on.
Don't Forget About Customer-Facing Teams
If you have a customer support team, you can count on them receiving inquiries in the event of a publicized security breach. Be clear on how you want them to handle these types of interactions. Should they redirect to a specific contact? Do you have a statement you can provide them with? They may come under pressure to reveal nonpublic information or manage heightened emotions from callers, so it's important to set them up to handle these difficult situations with confidence.
About the Expert
Ashley Sawatsky is an expert in incident management and communication, with a special focus on the SaaS world. As a founding member of Shopify's incident response program for nearly seven years, she led incident communications and processes. Currently, as senior incident response advocate at Rootly, she consults with tech giants, including Canva, Cisco, and Nvidia, on incident response strategies.
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024