By: David Chen, associate of Bryan Cave, and Alex Olsansky, senior corporate counsel at Diamond Resorts International.
A well-written and consistently updated crisis communication plan ensures that a company has the infrastructure in place to respond to a range of natural or man-made crises. While many companies have a crisis communication plan in place, not all plans are equipped to handle cybersecurity-related incidents. Below are six key elements to ensure that your crisis communication plan is prepared to effectively handle cybersecurity incidents.
1. The plan is comprehensible, short, and flexible.
One of the most common mistakes that a company can make when creating a crisis communication plan is attempting to cover every “what if” situation and making the document too complicated for an employee to comprehend. Especially during times of crisis, making a plan overly complex can paralyze the employee in charge and cause additional confusion. In certain circumstances, this lack of action or unnecessary delay can make a company susceptible to allegations of misconduct or negligence.
2. One individual should be designated as the spokesperson.
One individual should be designated as the primary spokesperson to represent the company and answer media questions throughout the crisis. Allowing one individual to be designated as a spokesperson ensures the company is able to control its message and prevents the public and its employees from receiving information that may be untrue or potentially misleading. In addition, a company’s employees should be instructed to refrain from making any comments until directed by the company. In order to prevent rumors from spreading, the company may want to consider creating an FAQ of pre-approved questions and answers once detailed information about the breach has been gathered. This could be used on a public website, or to respond to media or consumer inquiries about the cybersecurity incident.
3. A legal representative should be involved in the crisis communication process.
A company’s in-house counsel or outside counsel should be involved in the crisis communication process by discussing, reviewing, and approving all external messages. Obtaining feedback from counsel reduces the risk that confidential attorney-client information is inadvertently released, or that misleading statements are inadvertently made about the incident. Releasing confidential information and providing false or misleading statements may damage the company’s chances of prevailing in potential litigation, and injure the company’s reputation.
4. The plan provides proper and clear guidance to the public.
Many crisis communication plans take an obligatory, proactive approach to notifying the public with a statement like the following: “The company is aware of the crisis and is responding rapidly and responsibly.” While this approach may be appropriate for an earthquake or an active shooter, it may not be the right approach for a cybersecurity incident. Unlike crisis situations where the details of an event are usually known and then released in a matter of hours, data security incidents are often extremely complex and accurate information about a breach may not be known for days or even weeks.
Furthermore, a company may not want to issue a public statement prior to understanding whether a breach actually occurred or the magnitude of the breach. A premature public statement about an incident that turns out to be false can have serious ramifications for the company’s data subjects. These data subjects may be subjected to unnecessary worry, cost, and inconvenience, or attempt to mitigate a harm that may never materialize or exist.
5. The plan does not conflict with other corporate plans or policies.
A company’s communication plan for a cybersecurity event is typically used in conjunction with an incident response plan. The crisis communication plan must be reviewed and vetted against the company’s incident response plan and with consideration for other policies to ensure that there are no conflicts between policies. Any discrepancies or conflicts between these policies may create delay, confusion, or inaction, and could have serious legal and economic ramifications for both the company and the individuals impacted by the security incident. Discrepancies and conflicts between various plans may also make a company susceptible to allegations of misconduct.
6. The plan is tested on a yearly basis.
An incident response plan should be tested on a yearly basis. During the annual test, it is important not to neglect a company’s crisis communication plan. Conducting a walkthrough or tabletop exercise will allow a company to address any performance issues or policy gaps that may arise during the testing process. Testing the policy also allows company counsel to effectively train employees on how to handle a real crisis.
To further reading about the data security and privacy practices of six companies with global operations, download the ACC primer on "Leading Practices in Privacy and Data Security: Compliance Programs Across the Globe". Organizations featured in this primer describe practices and approaches for working through the matrix of varying and changing requirements across multiple jurisdictions, as well as integrating policies and practices with systems and security features.