Archived Insight | October 5, 2020

Who You Gonna Call? Cybersecurity Breach Communication Plan

Cybersecurity incidents can have serious consequences for both your organization and the people whose data may have been exposed. How you communicate the details about the incident will have a significant impact on how the breach affects your organization. Putting a cybersecurity breach communication plan in place can help you avoid costly mistakes that waste time and add confusion to an already tense situation.

Businessman Sharing Ideas With Colleagues At Workplace

What’s the difference between an incident response plan and a communication plan?

Your organization’s cybersecurity breach communication plan works in tandem with an incident response plan to make sure decision makers have the information they need to resolve the incident. In short, your cybersecurity breach communication plan is one (very important) part of your overall incident response plan, which helps guide actions beyond communication.

Invest in your help desk, the first line of defense

The ideal cybersecurity breach communication plan will allow you to deal with the incident without throwing the whole organization into a panic. You can start by training your IT help desk to recognize a cybersecurity breach when they spot one and know whom to contact to help stamp out the problem before it gets out of control.

For example, if an unusually high number of users report to the help desk that they are locked out of their accounts within a short period of time, a properly trained IT worker might suspect the organization is facing a password spraying cyberattack (where hackers try common passwords across many user accounts hoping to get lucky). The help desk should have contact numbers to call when they see this type of activity, and also know what evidence to collect to support resolving the attack.

Man Working In A Call Centre Helping His Female Colleague While They Are Using A Computer Man Working In A Call Centre Helping His Female Colleague While They Are Using A Computer
Serious African Businessman In Suit Drinking Coffee And Reading A Message On His Mobile Phone While Walking In The City Serious African Businessman In Suit Drinking Coffee And Reading A Message On His Mobile Phone While Walking In The City

Let people know that you’re on top of it

At the start of a cybersecurity incident, you’ll have very little information to communicate. Let your affected internal users know that something is going on, and tell them what they can do to help the situation. This should be a standard message informing internal users that management knows about the situation, and that IT is working to address the issue. The message can be sent via email, or if that is down due to the incident, through a recorded message on your help desk phone number. Later, as you learn more information about the incident, you should provide updates to the affected internal users, following through with additional messages as needed until the incident is resolved.

Know when and how to escalate your response

Your cybersecurity breach communication plan should also guide when you communicate the incident to legal counsel and higher-level executives. For example, a single user with one compromised workstation is usually not CEO or board level news. However, having fifty impacted users across the organization is worthy of executive attention. Similarly, the release of two members’ personal data may not require escalation but the release of a thousand members’ data would be. This is where having pre-defined escalation situations in your plan helps.

Different incident types also have different communications needs. For example, a computer virus spreading through your system should be communicated internally as quickly as possible to prevent the virus from spreading further. The same sense of urgency holds for an email phishing scam that may be sending fake email from one compromised account to others. However, a data breach may not call for an organization-wide notification unless there’s a specific need for people to know.

A cybersecurity breach communication plan (along with a larger incident response plan) helps you identify in advance who is responsible for communicating what information to whom. That way, you avoid having to come up with a plan on the fly which can lead to chaos and confusion.  

Letting the world know what’s happened

Once your internal communications has been established, you must then decide what to communicate to affected members, regulatory agencies, your insurance company, law enforcement (if necessary) and possibly the media if the incident has a remote chance of becoming a negative news story.

Woman With A Headset Using A Computer In A Call Centre Woman With A Headset Using A Computer In A Call Centre

Affected members

In some states there are specific laws about how the members must be contacted, for example, requiring letters to be mailed. Other states may allow phone calls to affected users in addition to emails, or simply allow you to post a notice on your public web page. There are also state-by-state laws about how much time you have to notify members, with some states requiring shorter notification deadlines than others. Sixty days is the average, but it’s in your best interest to communicate as quickly as possible to avoid potential fines, penalties or the dreaded class-action lawsuits that often accompany them. A good incident response plan should have member notification deadlines listed and sample templates to use for each type of required communication.

While preparing to notify affected members, you should also prepare your help desk to handle the flood of expected calls. Provide a summary of information about the incident and a list of standard answers to help desk personnel for when the calls begin. The goal is to calm your members while providing important details they might need, such as how to enroll in credit monitoring if the incident resolution calls for that.

Regulatory agencies

Regulatory agencies have similar stipulations as affected members. Different states have different rules, federal agencies have different rules than the states, and there are differing deadlines. Do your research and get these notifications right because the regulatory agencies can fine you very large sums of money for very minor infractions.

Your insurance company

You should also reach out to your cyber insurance provider. These companies usually have staff to assist with resolving the incident and a communications approach mapped out for moving forward. And since the insurance company is on the hook for many of the costs incurred once they have been notified of the incident, you should let them guide the resulting recovery and response activities (once those activities have been vetted by your legal counsel).

Law enforcement

Take advantage of legal counsel in order to follow the law. In some incidents, senior leadership may attempt to squelch investigation to avoid negative publicity. If law enforcement communication is required, (for example, if a disgruntled employee stole and sold member data,) then legal counsel is responsible for protecting the organization from accidental disclosures of information while also providing the data needed for the law enforcement agents to do their jobs.

The media

Make sure to control your messaging. You’ll need designated public relations specialists to speak with the media, letting other employees know they shouldn’t provide comments or contact the press. One reason why you need strict control over your messaging is because certain words, such as “breach,” “PII,” and “PHI” carry statutorily-defined legal meanings. Admitting to them could have legal consequences, which is why it’s best to let the PR professionals deal with reporters.

You can’t resolve your cybersecurity breach without communication

There are many types of communications required for cybersecurity incidents, and nuances for each message. The recurring theme is that your incident response plan should include a cybersecurity breach communication plan to help you navigate the correct approach to this important topic.

Do you need help setting up a communications plan?

We can help.

Contact Us

More insights on cybersecurity

Businesswoman Working On Laptop At A Cafe

Cybersecurity Tasks to Protect Data & Meet High Expectations

Be prepared for a possible data breach. See our checklist of eight annual tasks that can help protect your organization's data.
Young African Woman Using A Laptop In A Server Room

Vendor Cybersecurity Best Practices for Plan Sponsors

Cybersecurity is an increasingly critical issue. Protect your plans and take steps to reduce risks.
Two Businessmen Working Together On A Computer In A Modern Office

Obtaining Cyber Liability Insurance Coverage Quickly

Read how we helped a TPA obtain cyber liability coverage quickly to solve their security concerns.

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.

Don't miss out. Join 16,000 others who already get the latest insights from Segal.