Archived Insight | October 5, 2020
Cybersecurity incidents can have serious consequences for both your organization and the people whose data may have been exposed. How you communicate the details about the incident will have a significant impact on how the breach affects your organization. Putting a cybersecurity breach communication plan in place can help you avoid costly mistakes that waste time and add confusion to an already tense situation.
Your organization’s cybersecurity breach communication plan works in tandem with an incident response plan to make sure decision makers have the information they need to resolve the incident. In short, your cybersecurity breach communication plan is one (very important) part of your overall incident response plan, which helps guide actions beyond communication.
The ideal cybersecurity breach communication plan will allow you to deal with the incident without throwing the whole organization into a panic. You can start by training your IT help desk to recognize a cybersecurity breach when they spot one and know whom to contact to help stamp out the problem before it gets out of control.
For example, if an unusually high number of users report to the help desk that they are locked out of their accounts within a short period of time, a properly trained IT worker might suspect the organization is facing a password spraying cyberattack (where hackers try common passwords across many user accounts hoping to get lucky). The help desk should have contact numbers to call when they see this type of activity, and also know what evidence to collect to support resolving the attack.
At the start of a cybersecurity incident, you’ll have very little information to communicate. Let your affected internal users know that something is going on, and tell them what they can do to help the situation. This should be a standard message informing internal users that management knows about the situation, and that IT is working to address the issue. The message can be sent via email, or if that is down due to the incident, through a recorded message on your help desk phone number. Later, as you learn more information about the incident, you should provide updates to the affected internal users, following through with additional messages as needed until the incident is resolved.
Your cybersecurity breach communication plan should also guide when you communicate the incident to legal counsel and higher-level executives. For example, a single user with one compromised workstation is usually not CEO or board level news. However, having fifty impacted users across the organization is worthy of executive attention. Similarly, the release of two members’ personal data may not require escalation but the release of a thousand members’ data would be. This is where having pre-defined escalation situations in your plan helps.
Different incident types also have different communications needs. For example, a computer virus spreading through your system should be communicated internally as quickly as possible to prevent the virus from spreading further. The same sense of urgency holds for an email phishing scam that may be sending fake email from one compromised account to others. However, a data breach may not call for an organization-wide notification unless there’s a specific need for people to know.
A cybersecurity breach communication plan (along with a larger incident response plan) helps you identify in advance who is responsible for communicating what information to whom. That way, you avoid having to come up with a plan on the fly which can lead to chaos and confusion.
Once your internal communications has been established, you must then decide what to communicate to affected members, regulatory agencies, your insurance company, law enforcement (if necessary) and possibly the media if the incident has a remote chance of becoming a negative news story.
In some states there are specific laws about how the members must be contacted, for example, requiring letters to be mailed. Other states may allow phone calls to affected users in addition to emails, or simply allow you to post a notice on your public web page. There are also state-by-state laws about how much time you have to notify members, with some states requiring shorter notification deadlines than others. Sixty days is the average, but it’s in your best interest to communicate as quickly as possible to avoid potential fines, penalties or the dreaded class-action lawsuits that often accompany them. A good incident response plan should have member notification deadlines listed and sample templates to use for each type of required communication.
While preparing to notify affected members, you should also prepare your help desk to handle the flood of expected calls. Provide a summary of information about the incident and a list of standard answers to help desk personnel for when the calls begin. The goal is to calm your members while providing important details they might need, such as how to enroll in credit monitoring if the incident resolution calls for that.
Regulatory agencies have similar stipulations as affected members. Different states have different rules, federal agencies have different rules than the states, and there are differing deadlines. Do your research and get these notifications right because the regulatory agencies can fine you very large sums of money for very minor infractions.
You should also reach out to your cyber insurance provider. These companies usually have staff to assist with resolving the incident and a communications approach mapped out for moving forward. And since the insurance company is on the hook for many of the costs incurred once they have been notified of the incident, you should let them guide the resulting recovery and response activities (once those activities have been vetted by your legal counsel).
Take advantage of legal counsel in order to follow the law. In some incidents, senior leadership may attempt to squelch investigation to avoid negative publicity. If law enforcement communication is required, (for example, if a disgruntled employee stole and sold member data,) then legal counsel is responsible for protecting the organization from accidental disclosures of information while also providing the data needed for the law enforcement agents to do their jobs.
Make sure to control your messaging. You’ll need designated public relations specialists to speak with the media, letting other employees know they shouldn’t provide comments or contact the press. One reason why you need strict control over your messaging is because certain words, such as “breach,” “PII,” and “PHI” carry statutorily-defined legal meanings. Admitting to them could have legal consequences, which is why it’s best to let the PR professionals deal with reporters.
There are many types of communications required for cybersecurity incidents, and nuances for each message. The recurring theme is that your incident response plan should include a cybersecurity breach communication plan to help you navigate the correct approach to this important topic.
This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.
Don't miss out. Join 16,000 others who already get the latest insights from Segal.