Tucked away in the CFO Journal section of today’s The Wall Street Journal is a very important story for corporations –about when to communicate publicly about a hack. We are all familiar with famous hacks and data breaches at Target, Sony, Home Depot, JP Morgan, yet only 95 of the 9,000 publicly traded companies in the U.S. have been the victims of data breaches. Several professional societies offered protocols for CIOs or CFOs to follow in the story.
But what is a communicator to do. The data breach/hack should be treated with a crisis communications protocol. First and foremost, every company should prepare for an event like this as they become more common. Hacks should become a part of every company’s crisis communications plan.
Some points for companies to immediately consider before initiating public comment:
- What data was breached and was consumer information compromised
- Was it a material breach as defined by the SEC or other government agency
- Is the attack contained, or is there still exposure
Once the basics have been determined:
- Communicate what you know and what you are doing to address the issue
- Notify regulatory agencies as appropriate
- An initial communication to internal audiences
- A statement to customers and vendors/suppliers
- Be proactive on social media
- Continuous monitoring of stakeholder audience chatter
- Issue statements/updates as you receive further information or take steps to rectify the breach
We unfortunately live in a society where we will encounter more and more of these breaches every day. Hence our best defense is to be prepared, to practice and drill against these threats so we are better prepared to communicate with our stakeholders.