The time period between the discovery of a data breach and a company’s public announcement is never stress-free, even if you have managed the responses to other data breaches and your company has a preplanned response strategy in place. The work does not end though once all the moving parts come together and your company announces to the public that it has experienced a data breach.
You may have carefully drafted a letter regarding the breach to be sent to your customers, prepared detailed scripts for your call center to follow when customers call in for information about the breach, designed data breach information pages that will go live on your company’s website, trained your frontline employees on how to respond to questions from customers, and hired a public relations firm to respond to media inquiries — but you may still have more messaging issues to manage. The examples below are adapted from actual incidents to illustrate how companies can drop the ball on their post-breach announcement communications to their customers, shareholders and the public.
Maintaining a timely message
Post-announcement messages should continue to provide customers with the basic facts about the data breach. A retailer that had publically announced a payment card data breach elected to also post a large sign in its stores with a letter to its customers advising them of the breach. The letter was signed by the CEO and provided the basic facts about the breach in a clear and easily understandable format. The letter missed one important fact — it noted the breach happened “last week,” but the letter was not dated.
The message in the letter was well-drafted and consistent with the company’s prior public announcements about the breach, but the company failed to provide context in its messaging in the stores. This may have been a typographical oversight or the company may not have known the exact dates of the breach when the signage was printed. However, without some reference to even the approximate date or range of dates of the breach, customers had no way of knowing whether they were impacted by the breach. Also, the longer the sign stayed in each store, the greater the number of customers who saw the message, and many of these customers may have erroneously believed they had been impacted by the company’s breach because they shopped at the store “last week.”
Maintaining a consistent message
Most companies train their frontline employees on what to say to customers who inquire about the breach, but other loose lips may sink the ship. Although your company may have designated a spokesperson for the data breach, others in the company, particularly those in executive management, may be called on for comments on the breach.
A member of a company’s executive management team may tell reporters that “we’re clearly accountable and responsible so we’re not going to sleep until we make significant changes, and we’ll do everything possible to make this right to ensure a safe environment at all times for our customers.” These statements may not mesh with the company’s prior messages regarding how the breach happened and what the company is doing or intends to do to prevent another similar breach. Everyone should be speaking from the same script to ensure that the company’s message is on point and consistent. Such inconsistencies and broad assurances can have a negative impact in subsequent litigation regarding the breach.
Maintaining a customer-centric message
Companies should continue to manage their post-breach announcement messages to ensure that they focus on two things: the customer and the breach. Customers are interested in knowing who, what, when, where, and how all of this impacts them. This is not the time for waxing poetic about the company or whining about the impact the breach has had on the company. One company CEO noted after a breach was made public that “the company was going to become a better and stronger company as a result of the breach.” This message is little consolation to a customer who has been the victim of card fraud due to the breach. Customers also do not care if the CEO, CPO, or anyone else at the company has not slept since the breach or if the CEO’s heart sank when he or she learned of the breach.
Go ahead and breathe a sigh of relief when you have managed to get all of the moving pieces together and have gone public about a data breach, but don’t forget that your company’s messages to its customer, shareholders, and the public after this announcement are also important. Continue to stay on message and maintain the focus on your customers and the facts that will help them.
Republished with permission. This article first appeared in Inside Counsel on May 29, 2014.