Communicating the Data Breach Externally

It is important for organizations to be prepared to respond to a data breach. The below is an excerpt from an article written by Ice Miller's Data Security and Privacy Practice which provides some practical suggestions for preparing an organization to respond to a data breach. 

External communication and notification after a breach is often essential to the public’s perception of the data breach.  Whether laws of the jurisdiction mandate notice, or whether the company is taking the initiative to disclose the breach and its impact, communication that is organized and carefully disseminated can minimize confusion, garner goodwill, mitigate damages, and demonstrate transparency and cooperation.

A good data breach response plan can identify such communications and notification goals.  For example, communication to customers whose personal information was compromised is particularly important and, at times, legally mandated.  Identifying applicable state and federal laws requiring compliance is the first step.  For businesses operating in different legal jurisdictions, this can become a complicated task.  For example, some states mandate time limits as to when a customer is notified; or, under what circumstances notification must be made individually or en masse; or, what exceptions there are to notifications.

Within the breach response plan, the company may wish to identify the responsible party for creating and approving any outgoing communication.  Effective communication may demonstrate compliance with applicable legal requirements or clearly articulate sufficient information so that a customer can make an informed decision or take any corrective actions.  For example, a typical customer notification may describe the incident, the information that was compromised, the consequences of the breach, and protective measures that consumers can take. 

Post-Incident Review

The best time to review the incident response, and update the response plan, may be  immediately after an organization has been through a data breach.  Technologies, personnel, policies, laws, and procedures change.  Reviewing, evaluating, and updating a breach response plan can ensure that it is still relevant. The organization  can also evaluate its data security measures following a breach to mitigate any other potential threats. 

While it is never a good time to be a target of a data breach, planning and preparation can play a vital role in helping your business respond and recover from a data breach.