The New Crisis Communication Challenge: Data Breach

Transcription

1 The New Crisis Communication Challenge: Data Breach By Lisa MacKenzie When a data breach occurs, how an organization responds and communicates to its customer, patients or stakeholders can be the difference between a potential class action lawsuit and an opportunity to reinforce a commitment to quality and customer care. According to Second Annual Benchmark Study on Patient Privacy and Data Security 1 by the Ponemon Institute, the negative impact of a data breach can diminish healthcare brand reputation, tarnish perception and lead to precipitous declines in patient goodwill. This all sounds good in the abstract. Data breaches are becoming more common than the cold, yet oddly, a surprisingly small number of all organizations have a plan for managing the response with the media. Whether you operate a small dental office or run a multinational corporation, the response methodology is roughly the same. What varies greatly is managing the depth of the situation and integrating the communication with the entire response process. Let s break it down to four steps: 1. Plan and Assess 2. Messaging 3. Outreach and Response 4. Analysis and Further Action To begin, our focus will be on step 1: Planning and assessing the breach situation. When a breach happens, inevitably everyone panics. Having a plan in place before a breach occurs is like taking an aspirin before the headache turns into a migraine. Sadly, most organizations are still stuck with the notion that it will never happen to us. 1 Ponemon Institute s Third Annual Benchmark Study on Patient Privacy & Data Security

2 Every organization needs a plan that is customized to meet its needs. Regardless, a plan should include the following baseline components: Data intake from the CIO, privacy officers, legal and HR A full written description of the incident and the total affected population Review and analysis of pertinent documents including forensic reports and incident reports A list of notification requirements (Federal and State) that matches the affected population An action plan with timelines and responsibilities Ideally, this plan skeleton can be developed outside of a breach incident and reviewed quarterly to make sure that it is still addressing organization needs. A good rule of thumb is to review the plan against industry trends and update it to include any new regulatory requirements. It s how you say it and more Messaging can be tricky. It s a delicate balance of honesty, clarity and precision - saying enough and not hiding the facts while communicating clearly to avoid being misunderstood. Messaging is a three- legged stool if one of the legs isn t sturdy, the whole thing falls apart. In theory, the messaging element sounds easy enough but it can be the one element of Data Breach Communication that will having a lasting effect on the breached organization. When developing the messaging platform for a data breach, make sure you have this information: 1. The date of the breach. Use the data of discovery of the incident. 2. How the breach occurred. Was it a theft, internal breach, hacker? 3. The information that was breached. Exactly what was compromised - names, addresses, social security numbers, medical records? 4. Details on the investigation Was an internal and/or external audit conducted? 5. New security measures What new procedures have been put into place as a result of the breach?

3 6. Notification details How is the affected population being notified? When? 7. Resources for the affected population What services are being offered? Providing resources to those affected will be seen as a positive step in a potentially negative situation. All of the data outlined above is critical for developing a solid messaging platform. However having this information does not guarantee a stress- free process, however it will keep everyone on the same page and reduce confusion. It s time to talk Communicating the details of a data breach can be the part of the process that produces the most angst. Exposing the nitty- gritty of a breach can have serious implications. A breach is a threat to an organizations reputation and can be potentially mean fines or lawsuits. Notification is a requirement if the affected population and exposed records meet state and federal guidelines. How you notify is important. The timing of notification is equally critical and that is tied to the notification requirements for your state. If the affected population is broad and/or has notification complexities (such as missing addresses) additional notification many be required. For example, a press release or a public notice can serve as a suitable means to notify. Crafting the press release or public notice should be carefully constructed. At a minimum, it should include the points that everyone will ask what, when, how, why, who. Special attention should be placed on the resources being provided to the affected population such as toll- free numbers to contact a live person who can answer questions, online access to services such as credit monitoring or even better, restoration services if the breach leads to medical or identity theft. Demonstrating that your outreach has been adequate requires using certain methods of distribution, either a wire service for a press release or a newspaper for public notices. Be sure to include proof of distribution in your records. Also, consider regulatory authorities part of your communication outreach and include them in every distribution. They are paying attention. Early and regular communication with them can potentially reduce their displeasure later. With the notification letters out and possibly a press release or public notice posted, the potential for calls from reporters increases. When a reporter calls, preparation for answering their questions is essential. Many companies prefer to bring in the assistance of a professional who is skilled at working with the media. A crisis is not the time to gain experience in working with the press.

4 Oh right, you work for us. Considering the requirements for external communication is critical, yet don t forget your internal communication as well. Working hand- in- hand with human resources to communicate effectively to employees about the breach and the internal processes that need to be changed is equally important. Employees will discuss the breach regardless of the controls you put in place. Arming them with the right information will support all efforts to communicate effectively. Next we will review the recommended analysis. Is it over? When the dust settles, it is typical for an organization to give a sigh of relief and move on to other important tasks. Don t. Take the time to evaluate your processes. Be critical. Examine the effectiveness of each and every step. What did you miss? What worked well? What can be improved? Document it. With the internal process changes in your organization, there is always hope that a data breach will not occur again. We re seeing positive changes taking place specifically with organizations proactively conducting security risk and privacy audits. However, the threat still looms. Increased use of unsecured personal devices, cloud computing, employee mistakes, not to mention a potential audit, all continue to pose a threat on even the well intentioned. About the Author Lisa MacKenzie is a communications professional with more than 25 years of experience working with start- ups to Fortune 25 companies. MacKenzie has founded two firms and also worked for leading companies including Hewlett- Packard and Pixar. She can be reached at lisam@mackenzie- marketing.com

5