Crisis Communications Management and the Cyberattack
Elizabeth K. Hinson, Associate, Nelson Mullins Riley & ScarboroughPreparing for a cyberattack is not only a job for the C-Suite or Information Technology Department. Public relations professionals work in lock-step with other decision-makers following a data breach, especially because the legal requirements related to a cyberattack when consumer information is involved include public notice. As evidenced by public reactions to the recent, high-profile breach reported by Equifax, regulators and security bloggers can respond quickly by posting real-time feedback to breach events on Twitter and other social media platforms. As such, communication professionals need not only to sit at the table as company leadership prepares announcements to affected customers, but communicators are also likely to be called upon after the breach event is made public. In that capacity, they can help to strategize regarding the response in the face of often emotional, fast-changing criticisms from a variety of interested parties, including those persons who are directly impacted by the breach, as well as shareholders, law enforcement, and government regulators from various jurisdictions.Because a cyberattack is an inevitable event for most organizations, preparing how to create a messaging strategy for the event when it occurs is just as important as any other possible crisis and is the key to remaining calm with key stakeholders, including customers, employees and investors. Emphasizing the significance of a strong communications team following a cyberattack, insurance companies are now providing for public relations costs in some cyber liability insurance policies.Incident Response Communications PlanBy crafting a cyberattack communication strategy today, you will help your company, or client:
- Tackle reputational risk.
- Control the message.
- Get out ahead of leaks (e.g., a customer’s detection of fraud on a credit account).
- Dodge regulatory scrutiny by timely disclosure of the event.
- Provide mitigating resources to impacted customers.
Consult Legal CounselAnnouncements regarding cyberattacks are communications tailored to regulatory requirements. Always consult an attorney who can advise on the appropriate language from applicable legal statutes. Ask for legal review before releasing a statement related to the cyberattack, including question-and-answer scripts, which should be prepared in consultation with legal counsel. If you work with counsel to coordinate the messaging in any consumer-facing messaging on a company website or in press release, you will protect your company or client from risks related to legal disputes that can result from a cyberattack.Engage Multiple Communication AvenuesIn addition to the regulatory notice that may be required by law, a company may utilize other strategic avenues for communicating with the public about the event. Prepare to engage the following resources after a breach:
- Call center or staff to answer questions about the breach event and any questions related to mitigation services, such as identity theft monitoring.
- Dedicated e-mail address or social media accounts to monitor and address concerns.
- Direct line to executive tasked with managing response or responding to clients.
Cyberattack TaxonomyCrucial to conveying a message about a cyberattack is understanding the categories of breaches, as well as basic vocabulary related to a breach event. Before an attack, know your breach types. You may be called upon to explain to a reporter the difference between a ransomware attack and a phishing attack and a compromise, as compared to a vulnerability. Think through the potential perceptions and consequences of referring to your company or client as victim of a criminal when reporting the event to the public.30-Day Countdown (or Less)Unique to a data breach event are the legal deadlines to provide notice to impacted customers and authorities. For example, some states like Florida require notice to affected consumers as soon as 30 days after a company has knowledge of a breach. For international companies that store data about EU citizens, the EU General Data Protection Regulation cuts notification deadlines to as soon as 72 hours after a company becomes aware of the attack.While not all companies announce data breaches or cyberattacks within 30 days’ time – and for good reason, as law enforcement works to track down the hackers or as the company works to conduct a thorough computer forensics investigation – a company hacked by a criminal must still act as quickly as possible to contain the breach and determine what happened. If working to meet a statutory deadline, the company will need to accomplish myriad tasks in cooperation with company leadership across departments, cyberexperts, vendors, and in some cases, law enforcement. For example, a forensic investigation of the hack will report essential details regarding the scope of the incident for any public communications. Law enforcement investigations may further provide crucial components of the public message. Legal experts will weigh in with perceived legal risks, as well as advise on elements of the announcement required by law as content requirements vary by state.In addition, a company may prepare scripts for company leadership and for call center staff to answer questions about the cyberattack. If notifying affected customers by mail, a notification vendor is often employed and this vendor typically needs the final communication several days before the deadline to ensure timely printing and mailing. For some breach events, notice via press release may be permitted and communications staff must coordinate the release of this notice with counsel because of legal requirements regarding how the message might reach affected populations.These deadlines and required outside resources highlight the necessity of an incident response communications plan for any PR firm or communications professional likely to assist with a cyberattack crisis. [author]About the Author: Elizabeth K. “Bess” Hinson is an associate based out of Nelson Mullins Riley & Scarborough’s Atlanta office where she practices in the Privacy and Information Security Practice Group. [/author]