A conversation about data breach crisis communications

Marriott International, the largest hotel chain in the world, is one of the most recent corporations to suffer a substantial data breach, joining the likes of Equifax, Sears and Target. This group highlights just how volatile cybersecurity threats have become and how far-reaching their impact can be. As technology has evolved and transformed business operations across all industries, the potential for data breaches has grown exponentially.

We sat down with Infinite Global’s President Zach Olsen, who oversees the firm’s crisis communication and data breach response services, to garner his insights into how breach response has changed and how pre-incident planning can positively affect a company’s ability to respond to a crisis.

How have data breaches changed over the past few years and how have crisis communication strategies evolved in response? What unique considerations need to be accounted for when dealing with this type of crisis situation?

The communications side of data breach response hasn’t necessarily changed dramatically in terms of tactics, but what has changed is the level of preparation and resources that organizations are devoting to breach preparation.

The sticky thing about breaches is that often during an investigation you don’t know with absolute certainty that you have the fact pattern right, so communicating with confidence can be difficult. Luckily, many of our clients are investing the time and resources upfront into planning how they will respond to a crisis, and, for us, that makes responding quickly and effectively easier when the pressure is on.

OK, so having a plan and being prepared is key to staying on top of a crisis when it occurs. But, often the fallout of a data breach is extensive and prolonged. How does a company sustain control over its communications for the entirety of the situation?

Depending on the scale of the breach and the public footprint of the company, tactics will differ. A large public company will have much more to deal with in respect to managing the media and making sure the facts about the breach are reported accurately and clearly.

Social media can be a key tool when interacting over a long period of time with customers. Setting up an independent website that is dedicated solely to news about the breach is an effective way to make sure audiences have up-to-date and easily accessible information about the status of the investigation and remediation.

Talk to me more about how a company’s social media accounts can be used as crisis communications tools when addressing a data breach.

Social media, if used properly, is critical to rolling out and maintaining communications with victims of a breach. We don’t often encourage our clients to engage customers or clients one-on-one on social media platforms during a time of crisis, but rather to leverage the broad reach of social media platforms to point victims to approved communications materials: FAQs, a letter or video from the CEO, notification letters, etc.

Do those approved communications materials vary in messaging depending on the targeted audience?

It very much depends on the organization that has been affected, but broadly speaking, being aware of and sensitive to the different needs of your audiences — what they care about and how they receive information — is hugely important when planning to communicate about a breach. Understanding your audiences and being able to put yourself in their shoes is critical.

What are your takeaways from the communications strategies that followed recent, specific high-profile data breaches?

The most obvious recent example of a poorly handled major breach is Equifax. So many things went wrong there, though not all of them were Equifax’s fault nor the fault of their communications firm. These days if a breach is handled well — that is, investigated thoroughly and communicated about transparently — it is barely a blip on the radar. “Breach fatigue” is a reality for most consumers, and unless an individual is affected directly, something nefarious is done with the stolen data, or the company egregiously mishandles the response, we won’t even hear about it in the news.

With data breaches looming large on many companies’ lists of concerns, how can a thorough crisis communication plan provide comfort and security to those whose jobs might depend on their ability to successfully navigate their organizations through a crisis?

More and more frequently, our clients are coming to us to ask for help preparing in advance for crises, breaches included. This is great news for us because it allows us to sit down with a client and figure out what sorts of threat they are most concerned about, where they have gaps in their team, and where we can be the most helpful if an incident hits.

We use information gathered from those sessions to build a customized, actionable crisis communications playbook that the client can use as a roadmap to thoughtfully address the crisis at hand and help to minimize the damage that it could do to the organization’s employees, customers, brand and bottom line. There is no substitute for having a good plan in place and the right team to help execute it.

Zach Olsen is the President of Infinite Global, where he leads its San Francisco office, and oversees the firm’s crisis response and reputation management group. He can be reached at zach@infiniteglobal.com.

Amanda Shewry is a Junior Account Executive at Infinite Global, where she assists with crisis communication playbooks and media outreach. She can be reached at amandas@infiniteglobal.com.

To learn more about data breach response and crisis communications preparation services, please reach out directly to the Infinite Global team or sign up for our quarterly “Crisis Communications Report.”