Five things we learnt about managing and communicating a data breach 

By Eve Frayling

Friday 18th February

Two in five businesses reported experiencing a cyber security breach or attack in the 12 months to March 2021. This threat was heightened during the Covid-19 pandemic, as the move to working from home destabilised many workplaces’ digital infrastructures.

With cyber-attacks now an ever-present threat to UK businesses, Pagefield and Acuity Law hosted a live panel and Q&A session with industry leading reputation management lawyers and PR experts, focused on how organisations can prepare for and manage data breaches. Pagefield Partner, Katharine Spence, asked our panel of experts how businesses can prepare for cyber-attacks, what to do in the first 24 hours of a data breach, and about the importance of transparency.

Prepare, prepare, prepare 

While your business might not be able to predict when a cyber-attack will happen – or even if it will happen at all – preparation is key to mitigating its impact. Planning ahead of time can often mean the difference between maintaining and losing control of the repercussions that come with a data breach.  

A plan should clearly set out the teams that will need to be involved, core timelines, and when to inform the regulator – the Information Commissioner’s Office (ICO). It should also set out the channels a business will use to inform stakeholders about the data breach, such as press or social media, and who in the communications team will be responsible for reactive and proactive outreach. Naturally, different businesses will need different plans in place, depending on their size, scale, and sector.  

Transparency is key 

You should communicate a clear, calm message that talks less about what has happened, and focused instead on the action that those affected need to take, alongside setting out what you are doing as a business to address the data breach. First and foremost, stakeholders expect transparency – and giving them as much information as you are able to from the start will minimise the risk of reputational damage.  

Don’t forget the importance of internal communications, too. Alerting staff to the breach is just as important as informing external stakeholders, as it is important that anyone speaking externally is on message.

Get your message out quickly, and to the right people 

The quickest way to reach affected stakeholders isn’t always by email. In many circumstances where you need to reach a large group of stakeholders quickly, it is easier to get your message across on the lunchtime or evening news bulletins.  

Press offices should also consider which other communications channels will be most effective in getting your message across, whether this be the broadsheets, radio, TV, or via your social media channels.

Whilst there will be a group immediately impacted by a data breach – most likely customers – businesses should also consider who else could be impacted and how to alert them. For example, in cases where financial data is exposed, and bank or credit card providers could be faced with a spike in enquiries, the company involved in the attack can help by alerting these providers early on. 

Join up your approach across the organisation 

Ensuring different departments are working collaboratively and keeping each other informed throughout the process is crucial.  

Communications, customer services, legal, and marketing teams will all play an important role in managing different outputs, and having open and regular conversations between departments, as well as the senior management team, once a data breach has occurred will further mitigate the fallout.  

PR and legal should work hand-in-hand making sure that you are sharing relevant information with those affected, but only sharing what you need to.  

Learn lessons for next time 

In today’s world, news develops fast. One story that started off reporting a data breach at a company could quickly develop into something different as further details are released, particularly about its cause and the financial repercussions for both the organisation and those impacted.  

The benefit of hindsight is also a wonderful thing, and it’s advisable to review your handling of a data breach after the event, to see if there are any steps or processes that could be improved in future. This is where scenario planning comes in, helping businesses prepare for any eventuality and better manage different stories that develop, as well as reactions from stakeholders. 

Related News & Insight