Uncertainty surrounds the revelation that Russia-based hacker group CyberVor has amassed over 1 billion user name and email combinations from websites all over the world.
The cyber security firm Hold Security, which discovered the hack after months of research, claims that many of the affected websites remain vulnerable and will not disclose who has been affected. Along with name and email combinations, the hackers stole 500 million email addresses from 420,000 large, small and even personal websites.
While hackers may not have directly stolen credit card information, this latest security breach calls to memory the 40 million credit card numbers stolen from Target in December and the recent theft of card data from 33 P.F. Chang’s locations.
For communicators, whether or not Hold Security reveals the targeted websites is not the main concern. Regardless of this latest breach, the potential for data vulnerability exploitation has created a situation where communicators must instead prepare for the looming threat of a data security crisis.
Advance planning is key, and many of the communications tools you will need can be drafted in advance and fine-tuned when something bad happens. Spending dollars up front on communications planning and training will save money in the long term and help avoid a devastating reputational hit.
Here are five guidelines to get you started on planning for data breaches, courtesy of Ashley McCown, president of Solomon McCown & Co.:
- Find an attorney before you need one. Identify an attorney with expertise in privacy and data security and establish a relationship. He/she will guide you through all the reporting requirements specific to your industry in the states in which you do business and in some cases federally. They will counsel you on the potential for litigation and review all written communications. And, they can help on the front end by conducting privacy audits and risk assessments to surface potential vulnerabilities so you can address them before a hacker exposes them.
- Update your crisis communications plan to include protocols for reporting a data breach. The steps to follow are specific and prescribed. Get them committed to paper now so there is no question about what to do first, second and third when it happens.
- Draft away. Nearly all communications materials (media statements, fact sheets, Q&As, letters to employees, customers, clients, patients) can be prepared in advance so there is something to work with when the breach occurs. The time and angst you will save by not having to start from scratch will be incredibly valuable and allow you to frame the news rather than respond to questions from media or others.
- Train and practice, practice and train. You don’t want an actual breach to be the first time you put your plan to the test or the first time your crisis response team (reps from IT, HR, customer service, sales/marketing, etc.) meet and work with each other. Tabletop exercises and drills will show you which parts of your plans work well and which ones need to be retooled. And, for members of the crisis team, drills bring to light how important communication across departments is.
- Build a social media presence before a breach. Depending on the scope of a breach (number of people impacted, number of states and whether the data is being misused), social media can play a significant role. In some industries there are blogs dedicated to tracking and dissecting how a network was hacked and how data was moved. Social media networks can light up with complaints from those affected. On the flip side, social media can be a fantastic channel to get your message out and communicate with key audiences, but only if a company has a loyal and engaged following ahead of time. It is impossible to play catch-up and try to build a strong social network once the crisis happens.
To learn more about crisis communications, register for PR News’ Crisis Management Boot Camp, which takes place September 15 in New York City.