Communicating a data breach

The conflict in Ukraine has highlighted that not only are battles being fought on the ground and in the air but also in cyberspace. Attacking and disrupting data are now seen as legitimate strategies to weaken an adversary and cybercrime is now more prevalent than ever. Given our reliance on data and the increasing sophistication of these attacks the likelihood of becoming a casualty of the cyber war, either personally or at work, is greater than ever before.

We are increasingly reliant on our computers and IT systems to run our organisations and our personal lives. It is hard to imagine how we might manage without them but we are obliged to place our trust in others to keep our data safe.  Our dependence on IT and connectivity makes us vulnerable, the loss of a system or the data it contains will bring business to a standstill very quickly.

As well as the many technical challenges presented by cyber crime there are also significant challenges around how and what to communicate should your organisation experience a data breach.

The loss of data might be caused by a deliberate attack upon your system, or it might be caused by human error such as the loss of a laptop or storage media. Whilst loss of data must always be regarded as a serious incident, often in the initial stages, the loss of data may not be in the public domain. This presents a challenge in itself; if people are unaware of the incident, do we need to tell them, and if we do when and what do we share?

From a regulatory perspective the loss of confidential data held by an organisation is a serious incident and must be reported to the Information Commissioner’s Office (ICO) within 24 hours of becoming aware of the essential facts of the breach. Beyond this the ICO expects that if the breach is likely to adversely affect the personal data or privacy of your subscribers or users, you need to notify them of the breach without unnecessary delay.

However tempting it might be to hold off going public, the ICO requires you to inform those affected. Given that the numbers involved are likely to be significant and the nature of the compromised data it is likely that once you have shared that data has been compromised it is highly likely that information will find its way onto both social and mainstream media.

Whilst it may be very tempting to say nothing, at least until the point someone becomes aware of the incident, in reputation management telling bad news first is regarded as a positive step. It puts you on the front foot rather than being seen as reactive or trying to conceal something. It tends to draw media to you and that allows you to tell your story first, in your words and gives you some control over the news agenda.

There are two distinct challenges with dealing with a data breach. The first is at the heart of reputation management in that in losing personal data your organisation has broken its promise of trust. You promised to keep my data safe, and you didn’t. Why should I trust you now? Rebuilding that trust is crucial, so within your communication you must show that you care and you understand the concerns of those affected. An apology, even if the data breach is as a result of criminal activity, is entirely appropriate.

The second distinct challenge is that it is hard to provide visible evidence of what you are doing to address the situation. In many incidents it is relatively easy to show the actions that have and are being taken to rectify a situation. With data breaches it isn’t. Within your communications you will have to work hard to show what is being done and what doing those things mean. As part of your preparation for dealing with a data breach it would be wise to list those actions that you would take should it happen.

Be positive and be open. Be ready with your communications and work hard to rebuild trust.

Positive Impact

For all your media training needs please contact us by clicking here.


2024 Positive Impact Communications & Training Ltd . All Rights Reserved.

View our Privacy Policy

Web Design and Hosting by Lincolnshire Web Design