TechCrunch reports that the hysteria began on Monday night when an anonymous user took to Pastebin claiming that he/she had compromised 7 million Dropbox passwords. The user posted a tease of the alleged leak, a couple hundred usernames and passwords in total, but Dropbox quickly responded in a blog post, saying, "Your stuff is safe."
Dropbox says that the stolen credentials were not taken from their servers but from an unspecified third-party. The company's statement confirms that the hacked credentials were—at one point, at least—valid Dropbox credentials but that they have since expired or were reset when malicious activity was detected.
Sound confusing? It is. And after last week's Snapchat hack, there is still reason to worry about the future safety of your information. For help in planning for your response to a hack of sensitive material, here are 5 guidelines to follow courtesy of Ashley McCown, president of Solomon McCown & Co., and contributor to PR News' Crisis Management Guidebook Vol. 7:
- Find an attorney before you need one. Identify an attorney with expertise in privacy and data security and establish a relationship. He/she will guide you through all the reporting requirements specific to your industry, in the states where you do business and in some cases federally. They will counsel you on the potential for litigation and review all written communications. And, they can help on the front end by conducting privacy audits and risk assessments to surface potential vulnerabilities so you can address them before a hacker exposes them.
- Update your crisis communications plan to include protocols for reporting a data breach. The steps to follow are specific and prescribed. Get them committed to paper now so there is no question about what to do first, second and third when it happens.
- Draft away. Nearly all communications materials (media statements, fact sheets, Q&As, letters to employees, customers, clients, patients) can be prepared in advance so there is something to work with when the breach occurs. The time and angst you will save by not having to start from scratch will be incredibly valuable and allow you to frame the news rather than respond to questions from media or others.
- Train and practice, practice and train. You don’t want an actual breach to be the first time you put your plan to the test or the first time your crisis response team (reps from IT, HR, customer service, sales/marketing, etc.) meet and work with each other. Tabletop exercises and drills will show you which parts of your plans work well and which ones need to be retooled. And, for members of the crisis team, drills bring to light how important communication across departments is.
- Build a social media presence before a breach. Depending on the scope of a breach (number of people impacted, number of states and whether the data is being misused), social media can play a significant role. In some industries, there are blogs dedicated to tracking and dissecting how a network was hacked and how data was moved. Social media networks can light up with complaints from those affected. On the flip side, social media can be a fantastic channel to get your message out and communicate with key audiences, but only if a company has a loyal and engaged following ahead of time. It is impossible to play catch-up and try to build a strong social network once the crisis happens.
Follow Ashley McCown on Twitter: @AshBoomerSooner
Follow Brian Greene on Twitter: @bw_greene
Participate in PR News’ Oct. 30 webinar, when crisis management experts Jana Telfer of the Centers for Disease Control and Prevention, Shana Harris of Warschawski and Heather Dopson of Social Media Explorer will share with you the essential building blocks of crisis planning.