Crisis Communications: Lessons Learned From Capital One

Reasons to Execute a Crisis Communication Plan

Implementing a crisis communication plan is a reality for most organizations. Learn about the reasons why one needs to be executed following a data breach.

How to Execute a Crisis Communication Plan After a Data Breach

An organization's internal marketing or public relations department may have to execute a crisis communication plan for several reasons. One of those reasons is because of a confirmed data breach. Although federal, state, and municipal regulators may need to be notified, the crisis communication plan will need to inform clients and employees who may have had their data compromised. The organization will need to address concerns about potential identity theft and the unauthorized use of accounts, including debit and credit cards.

Keeping those impacted informed and communicating efficiently are critical components of any plan. Prompt and thorough communication also reassures those impacted that the firm is concerned, has taken remedies to correct the problem, and is ready to assist. A crisis communication plan should be formulated and in place prior to a data breach. By having protocols with action items already assigned to designees, the plan can be executed swiftly and effectively.

What Information to Include

When communicating to those who were potentially impacted by a data breach, there are key pieces of information they will want to know. First, any communication will need to include who might be impacted, the dates of the data breach, what information might have been compromised, and what potential victims can do to protect themselves. For example, were shoppers who used debit or credit cards between certain dates impacted? If so, what other personal information besides credit or debit card numbers, expiration dates, pin numbers, and CSV codes might have been exposed? Will the firm be providing free credit monitoring or other services to help victims? What should potential victims do in the meantime to prevent potential identity theft or unauthorized use of their personal information? Who should they contact?

While these examples do not represent all of the pertinent information that an organization will need to disseminate in every situation, data breaches typically involve directly reaching out to potential victims. This can be accomplished electronically or through postal mail. Press releases, radio and television news announcements, and interviews are other means of informing the general public. Many organizations include public notifications as part of a crisis communication plan in the event of a data breach. These types of notifications help alert and reach those whose direct notifications may be delayed.

Internal and External Audiences

A solid crisis communication plan includes both external and internal audiences. External audiences include governments, clients/customers, the general public, vendors, and the media. Internal audiences include employees, the families of employees, executive management, and investors. In the event of a data breach, a communication plan needs to also include the organization's internal audience. Employees need to be informed of what happened and whether they were impacted. They also need to know how to respond to media and client inquiries. A solid crisis communication plan will also inform employees of whom they can escalate questions and inquiries to, in addition to what their individual responsibilities are in the event they need to respond. Coming up with scripted messages for various levels of employees to use to respond to various external audiences can be helpful; however, some organizations prefer to have either an internal or external marketing/PR point of contact handle some external audiences like the media. Other organizations rely on legal departments or even high-ranking executives as points of contact.

Points of Contact

In the event of a data breach, the crisis communication plan should include details of how different types of audiences will be handled. A hub and spoke model can be used to establish a central source of information and command within the organization. From there, HR might be in charge of being the point of contact and source of information for employees and their families. Likewise, the sales and customer service department might be the point of contact for external customers. How the hub and spoke model plays out will be dependent on the firm's current size, resources, and structure.

While a data breach is not the only reason why organizations should be prepared to execute crisis communication plans, by nature cybersecurity incidents warrant this type of coordinated response. Potential victims need to be notified and reassured. Government regulators and the community need to know what happened and what steps the organization is taking to fix the problem. They also want to be reassured the firm is taking steps to prevent future problems. Finally, employees, investors, and vendors need to be aware of how to respond and what they can do to mitigate any damages.