How to inform internal teams of a data breach
By Heather Noonan - Article on May 06, 2013
What is the best way to tell your internal teams that your company has had a data breach? A data breach isn't unlike any other public relations debacle. Like any crisis that needs a public relations strategy and a game plan, it needs to be well thought out and executed with finesse. Unfortunately during all this, your company faces reputational harm, deadlines, and client, consumer, and media backlash.
MORE INFO: Data Breach Response “How To” Series
For your internal teams, gather your decision makers and be transparent with what you do and don't know about the breach. Discuss what is being done and the plans in place. Bring in legal and human resources to provide input on the decisions being made. Assuming your information technology (IT) team is already involved and doing their job to fix what may have been broken, whether it was a break-in or a hack, make sure you keep everyone on the same page. I have found that communication is KEY in instances like this. If you aren't communicating well, right from the beginning, you will have half the company moving in one direction, poor decisions being executed, and your right hand won't know what your left hand is doing. Also remind your teams to keep information confidential as you work through forensics and put the pieces together.
I have seen too many companies want to send a company email to explain the data breach. This can be a very bad company decision. Unless your employees were all affected, I would highly recommend against this. Rumors begin this way. People begin to talk and ask immediate questions, which then starts the telephone and “what if” game. Your best intentions email will often be forwarded to an employee's friend or family member. That friend or family member then forwards the email and so on and so forth. (Not pretty.)
Yes, definitely tell your company what happened, but tell them during a company forum. Tell them face to face where they are able to ask questions. Let them voice their concerns and let you explain how the company is working through this incident, how people are being cared for, and the changes that are being made.
A couple pieces of advice from someone who has seen the good and bad decisions made while a company works through a data breach.