Back to all blog posts

Is your organization prepared for a data breach?

Most companies have a crisis communication plan stashed somewhere. Whether it’s policies and procedures reviewed monthly or updated on a yearly basis, companies must prepare for worst-case scenarios. But has your company prepared for a data breach; when your customer’s private and financial information is compromised and/or stolen?

In our last PR Prep column, we outlined

Dianna Fletcher is the Founder and President of Fletcher Media, experts in assisting organizations in working with the media during crisis situations.
  • Response planning
  • Response team building
  • Media training spokespeople
  • Defining stakeholders
  • Assessing the “Bank of PR” with your audiences and customers.


But what’s the first step when the potential becomes a grim reality; your company is hit by a data breach?

Assemble an A-Team

If calls haven’t already been made, put together the best of the best.

-Legal experts

– IT forensic investigators

– A spokesperson

– A PR company

– Liaison with investigators

Work with Investigators

At this point, you may or may not know the source of the compromise. Is it internal? External? Be transparent. Be honest. Talk with investigators. Along with the legal team, the investigators will let you know when you can go public. Important: if you can include the investigators (a quote or point of reference) as part of any media statement, this will help rebuild crediability with your audience and stakeholders.

Plan Media Messaging

Take a cue from the investigators. As is often the case with the data breaches, the depth and breadth is not immediately known. You can’t comment on an incident that is in the early investigatory phase.  Consider your end goal—the impact to your company and it’s customers. Plan your messages from that end goal.

 Craft a Press Release

Press releases or prepared statement can be a strong way to communicate your message. Craft a message that is 1) based only on the facts you can reveal that will not hinder the investigation and 2) show compassion for your audience and customers.

If you don’t feel comfortable putting someone from your company in front of a reporter, fearing they can’t stay on message, don’t do it! Stick with your initial press release or prepared statement.

Prepare your Employees

As you craft your message, you need to share what you can with your employees. In this age of social media, the data breach news may travel faster than the time you have to pull together your team and craft your press release. Bring in your troops; let them know all they need to know. And, let them know how they should interact with customers. Train your employees with the media messages you have developed. They will be interacting with customers, suppliers and other stakeholders.

Reach Out to Customers

This is one of the MOST important steps: How will you help those impacted by your breach?

First, tell them you are sorry and you care. Yes, this breach was most likely from outside sources. But your customers, and the general public, don’t see your company as a target or victim. They just want answers.  Admit that something has happened and say you are sorry.

Find ways to ease the pain. Set up phone lines, with employees who are trained with the correct message points. Sometimes customers just need to talk to someone.

Offer credit monitoring. This is an easy, and often required step, in the data breach recovery process. Outline the credit monitoring offer with explicit instructions for customers and make certain all details are included in every press release, every interview, every media interaction.

Promise to keep your customers and the general public updated. As with any crisis, continual and scheduled updates will keep you in touch with your customers and stakeholders. All will appreciate your company’s transparency and continual work to “right the wrong”. And it will go along way to your company’s overall reputation recovery.