E-commerce data breach: what to do when it hits the fan (part 2 – communications)
As highlighted in part 1 of Door4’s data breach double bill, it can happen to any business. Not every breach is devastating but the more prepared you are to deal with it, the better for your business and your customers.
While you focus on stopping or fixing the breach and minimising its impact, don’t forget your customers will eventually need information, as will every other group of people involved.
Hey, some journalist has been on the phone saying a customer has had their card details stolen. Was I right to deny everything? We haven’t even told the ICO yet!
Of course, customers are your primary consideration: when and what you communicate to them is your first consideration. After that, decide how and when you’re ready to contact the media, and when you need to contact your regulator.
The last thing you want to do is have to make these crucial decisions in the pressure cooker environment of a crisis.
Know your crises
I’m tying this into data breaches, but your overarching plan should project scenarios for any kind of emergency – from loss of internet, to a badly-worded tweet sent out by the chief exec, to a data breach. A canned response to one type of crisis isn’t necessarily appropriate to use in another scenario.
Know your rules & regs
The type of breach plus other criteria (like your sector) dictates who you’ll need to inform and what you need to tell them. The Information Commissioner’s Office, for example, needs to be told about personal data breaches as soon as possible and within 72 hours.
Write all this into your action plan. The good news is, you don’t have to report every breach. So understanding what you do need to do, means understanding what you don’t – taking the pressure off.
Your comms team won’t be responsible for informing every affected group (like the ICO) but they should be in the room when these decisions are made.
Which leads us to…
Build a strong team
Who do you need to help steer your emergency communications?
- Crisis team leader who can keep a level head and is comfortable leading upwards
- A high level senior colleague with accountability, plus an official spokesman to the media who has had media training (can be one and the same)
- Security or information specialist, who is fully informed about the nature of the breach, its extent and what’s being done from a technical perspective to limit its damage and prevent it from happening again
- Representatives from internal and corporate communications (possibly the same person in small companies)
- Copywriter or marketing executive with good tone of voice skills and synergy with all your brand’s marketing and service channels
Each member of your team should be clear on their role and responsibilities within this team. Who will be taking calls from the media? Who will be chasing updates from the systems admin? Who will be contacting the ICO and tracking when we need to do this? Who needs to approve communications? Who will liaise with and support any affected external partners?
As a team you’ll need to be move swiftly and without panic, remaining flexible to developments and with your eyes firmly on a positive outcome for everyone. For this, your team needs a plan.
Document your plan
This can be a text document or spreadsheet – as long as it’s written down and approved as the way forward – at the highest level and in advance. This is all about imagining what could go wrong and planning a controlled response that will help your business return to normal as soon as possible.
Like part 1 where we unpacked the process for stopping and fixing a security breach, this comms plan can feed into a full business continuation plan.
- Statement of intent – document your objectives. For example, maybe it’s “communicating as honestly as possible, informing customers without panicking them, ditto colleagues (especially customer-facing ones), liaising with media to help disseminate information and maintain the good reputation of the business”. A sentence or a few bullet points are ideal to keep you focused.
- Channels and resources – ?audit all ways you have to communicate with everyone affected and involved: all digital channels including social media and website; internal email directories; mobile phones; media contacts; whiteboards in reception; Paid Media; tannoy system; colleagues on the phone or in person. Who is in charge or has access to all these channels? Who knows the Twitter password? Who knows where the freestanding whiteboards are kept? Who has the key to the stationery cupboard?
- Plot threat scenarios – from a hacked social media account or Twitterstorm, to a product recall, server breach, prominent death, power outage, bad weather, supplier failure, poor financial results…
- Audiences – a list of every person or organisation you might need to speak to, plus their up-to-date contact details. This means everyone from customers and suppliers to regulators and the media. Don’t forget to include your crisis team’s details. It’s worth mentioning that if your partners or suppliers are involved, be aware they might need guidance and practical support. Speaking of partners, your payment gateway could offer support? – check out their procedures in advance.
- Messaging – draft sample messages that you can customise to fit a real event, for use on all your channels. Draft tweets, web pages, press releases, internal emails, call waiting scripts, FAQs and call centre responses. Beware of already-scheduled comms that might clash with new crisis messaging. Which leads us to …
Your master document – a single source of truth
Collaboratively, draft your response to the crisis. This master document will inform and align all other communications in this first stage. Reputations have come unstuck when brands say one thing to one audience and something else entirely to another. Be as transparent and accurate as you can.
For convenience, this first document might be a public facing press release. From this you can create an internal comm to employees, emails social responses and an emergency message on your website, for example. Senior management must approve everything.
Your single source of truth will guide how you respond to an unfolding event. When a real crisis story has broken, it’s difficult to predict or control, so setting off on a positive footing is important. As it unfolds, your crisis team will be reassessing and revising responses continually until the event is resolved and any fallout has been addressed.
Practice, revise and iterate
Large businesses dedicate whole days to enacting business continuations and crisis management plans. How far you want to go with this depends on your business, though at the very least you need to run through and update regularly. Practice will help you refine your plan and improve your response – there’s no better teacher than experience. It will reveal holes and help you identify if you need to upskill.
- Key takeaways
- Be prepared
- Practice your plan
- Be transparent
- Apologise sincerely
- Be proactive
- Don’t panic
- Put customers first
- Don’t forget regulators
Photo by James Ting on Unsplash. This article first appeared on Medium.