The Beat

Public relations checklist when responding to an information technology security incident

Last week, Baker Public Relations’ President & CEO Megan Baker was invited to participate in a panel discussion for Capital Area Technology Association’s (CATA) member meeting alongside two industry experts, Jeff Miller of Cyberstone Security and Thomas Capezza of Carter Conboy. The topic of discussion focused on “what to do when there’s been a security incident.” Jeff and Thomas tackled incident response and legal requirements, while I was able to speak specifically about what steps need to be taken to ensure a timely, unified message and how to present your company in a positive manner following a security incident like a data breach.

So far in 2018, there have been some epic occurrences that many corporations can learn from. Let us refresh your memory.

Lord & Taylor, Saks Fifth Avenue: 5 million records breached

Panera: 37 million records breached

Facebook: 87+ million records breached

Under Armour: 150 million records breached

United States Department of Defense (US DoD): 30,000 employees exposed

While it’s highly recommended that every business has a crisis plan, here are some roles and guidelines for organizations to follow once they’ve discovered a security incident.

      1. Determine who can best respond (primary spokesperson) and be sure to speak with a credible and unified voice agreed upon by all stakeholders. (Consult with your legal team first on privacy breach regulations and obligations.) A unified voice shows that the company is in control. This role applies to all situation.


      1. Analyze the situation first, be prompt and acknowledge the seriousness of the situation.


      1. Develop your messaging and be sure to identify your audience(s). Don’t forget to acknowledge and address the situation with your employees too.


      1. Be sincere in your apology. I don’t recommend taking out full-page newspaper ads like Facebook CEO Mark Zuckerberg did to issue an apology. Zuckerberg’s first acknowledgment of the situation should have included an apology via Facebook, but it didn’t. That was a mistake on his part.


    1. Don’t jump to conclusions, but be as specific as you can about the circumstances and the nature of the breach or crisis at hand. You’ll then want to follow up with an explanation about what the organization is doing to learn from the situation moving forward.