Decisions regarding what and how much information to disclose in sensitive matters has long been a source of conflict between legal and communications counsel at companies of all sizes. Most often, attorneys will argue for opacity, and PR professionals will push transparency; often with little room for compromise on either side.
When a cybersecurity breach occurs, the financial stakes involved – in terms of legal expense, remediation, fines and compensation for victims – can force senior management to ignore or shortchange communications-related issues. But financial and reputation risks both need to be addressed simultaneously when a breach occurs.
Litigation Liability Often Trumps Brand Reputation
Despite the increased likelihood of becoming a victim of cybercrime, a significant percentage of all organizations continue to play the odds, satisfied with weak or outdated safeguards; either hoping to dodge a breach, or believing that cybersecurity insurance will cover damages if one should occur.
Most under-prepared “at risk” companies, and even some well-defended firms, have not created or maintained a formal cybersecurity breach protocol that addresses both their legal liabilities and brand-related risks. Without a detailed breach protocol in place in advance of an incident, a board is more likely to follow the advice of legal counsel, rather than adopt an ad hoc communications plan that’s devised while a breach-related crisis is in progress.
There’s always a price to be paid – in terms of trust, brand reputation, and loyalty among internal and external audiences – for focusing on litigation concerns at the expense of communication with stakeholders, who usually forget the breach details, but remember how well the crisis was managed.
Major Components of an Integrated Breach Protocol Strategy
Boards that take management of legal and brand risks seriously have a formal integrated breach protocol in place, with the expectation that a cybersecurity incident is likely to occur in the future. Ideally, their protocol has been developed by a cross-functional internal team of senior technology, legal and communications professionals; vetted by outside counsel third-party experts in those three disciplines; and approved by senior management and its board.
Breach protocols will vary, depending on a company’s size, industry, as well as the type and sensitivity of its data and systems, but there are some guidelines that can serve as a template for plan development and implementation:
Put Privacy Policies in Place
All employees and contractors should have appropriate confidentiality and nondisclosure agreements, to prevent liability in the event of a data breach that may have been intentionally caused by one of these parties.
Know Your Insurance Coverage
Perform a cost-benefit analysis of potential losses and what they will cost, to negotiate appropriate cyber coverage. Understand what’s covered in your policy, in your cloud provider’s policy and your counterparties’ policies. If a breach occurs, immediately notify your carrier and insurance broker, and be prepared to hold your carrier’s feet to the fire for proper compensation.
First Stop the Bleeding
The primary task is to contain the breach, and ensure that systems are out of danger. The plan’s response team – identified in advance – must stop the data leakage, remove the hacker, remediate the affected systems and most importantly, document their breach analysis. A breach protocol requires that the response team – including a third-party technology firm – document all of their steps to preserve evidence of the breach; and to create disk images and detailed reports necessary for a more detailed forensic investigation, and to prevent the issue from reoccurring.
Engage Outside Technology Expertise
When a data breach occurs, the current internal or external IT provider will always have a vested interest in keeping your business or their job, so you may not receive a complete or accurate explanation of the incident. A breach protocol should identify pre-qualified, unbiased, third-party IT resources that specialize in incident response and analysis. This information is critical to help determine whether a company needs to go public or notify customers regarding a breach, and to demonstrate that the company has properly investigated the breach for legal and notification purposes.
Engage Outside Legal Counsel
Although internal counsel may be highly skilled, the decision regarding whether the potential for litigation exists should be shared with outside counsel, because that key decision will drive response protocol. Retention of outside counsel affords the company with protection of actions and communications related to a breach response through attorney-client privilege and its related work product doctrine. Outside counsel also has greater command of state, federal and industry-related disclosure requirements.
Don’t Report Too Soon
Depending on circumstance, law enforcement may need to be notified as soon as a third-party investigation begins, but there is no federal data-breach notification statute, and companies have approximately 45-60 days to report a breach to most state and regulatory authorities. Timing of breach notification to all authorities should be driven by the company’s investigation and analysis of the breach, and its plan to remediate the problem. Submission of breach notification in advance of a thorough and well-articulated report may serve to prolong the issue and raise additional red flags for regulators.
Don’t Talk Too Soon
Assume that internal audiences, outside of your response team, will be aware of the breach, and that the likelihood of inquiries from external parties – including the media – exists from the outset. For that reason, your company’s breach communication protocol should include tactics to cover a range of scenarios. Ideally, it’s best to initiate the communication process internally only after the cause and extent of the breach are fully understood, but it may be necessary to respond in advance of that. The company’s response should never be “No comment” with any audience, regardless of where it is in the breach analysis process.
Follow a Communication Discipline
Once a decision has been made (either by design or necessity) to begin breach-related communication, it’s important that the company follow the logic and discipline identified in its breach protocol. This means identifying and prioritizing all of the company’s internal and external stakeholders – employees, customers, affected parties, media, shareholders, etc. – in terms of the order they will be contacted under different scenarios. It also means ensuring that the messaging tailored for those audiences include a clear explanation of what happened, how the problem was addressed and what’s being done to help those affected.
Centralize Information Flow
A breach protocol should identify the single resource the company will use – from the outset of the incident – to centralize all incoming and outgoing communication, as a means to ensure consistency of messaging, to address misinformation and rumors, and to respond immediately and directly to all questions and concerns related to the breach.
Update and Practice Protocol
A breach protocol that sits on a shelf is only a little more effective than having no plan at all. As individuals with the company change roles, as new types of cyber threats emerge, outside resources shift and the organization evolves, a breach protocol will require updating, education, training and rehearsals at least every 6 months.
This rudimentary template suggests that preparation of a breach protocol demands a significant amount of planning and cooperation within a company; and in fact, that is the case. Companies that are reluctant to make this investment might be well-served to consult with CEOs of firms that have been victimized by cybercriminals, to appreciate the benefits of having an integrated breach protocol in place.
Read more: How LinkedIn Creates A Culture Of Security