24 October 2022

Marion Banide

4 critical steps to handle a data-breach crisis

If you ask a CEO what event could cause the most harm to their business, it is a great chance that a data breach ranks quite high on the list of concerns. More often, the most harmful impact of a data breach does not relate to the data itself but very much to the reputation that can be irremediably tarnished.

Preparation, communication, and trust are the key pillars that underpin a successful data breach crisis management plan. Being supported by a strong and united multi-disciplinary team of experts, and taking on your responsibilities early on, are prerequisites to navigating these stressful times.

A webinar held by our partner agency Shillings helped us shed some light on the critical steps to follow to mitigate the risks/ dangers resulting from a data breach crisis.

A data-breach crisis management timeline is often articulated around these four main phases (these are not necessarily chronological, they will collide most of the time).

  • Detection and containment – the preservation phase
  • The risks assessment and fact-finding process
  • The notification phase (to the regulator)
  • The evaluation process

Download here the 4 steps in one overview

Data-breach 4 steps guideline

Containment and recovery

The hours following the moment from which the breach has been discovered are critical – it is during this phase that most of the decision-making will be made. The management sets the tone on how the breach will be handled; the containment plan is being launched. 

Key actions: 

  • The breach management team is being called upon. Hopefully, clear accountabilities and lines of reporting have already been defined; protocols have been agreed upon.
  • Containment plans are being launched. Locks need to be accurately enforced to protect the data and demonstrate proactiveness; information is being gathered to understand what happened.
  • An impact assessment is being run to gather key facts and identify stakeholders that have been impacted.

If a mistake is going to be made, it will be made early and is likely to impact the whole management of the crisis. It is paramount to get your core facts straight to define the most appropriate technical containment and communication plans.

It is paramount to get your core facts straight to define the most appropriate technical containment and communication plans. High confidence in these facts and high levels of trust between the technical and management teams are essential BUT a certain degree of flexibility is needed to adapt to new information coming in waves.

The risk assessment process

The risk assessment phase enables the agents that have been breached to investigate which data subjects have been affected if they have special characteristics that need to be considered, and the amount and the nature of data that has been breached/lost (sensitive data).

If the data breach results in a violation of individual rights, the risk is much higher and calls for a stronger reaction from the company. Interest from the media will also be higher.

In terms of communication:

  • You want to have all your external communication material ready to face regulatory and public scrutiny.
  • It is important to know who within the company will have enough credibility to carry your corporate voice and address stakeholders’ concerns in these difficult times.
  • Internal communication from the early stages is critical: provide enough information and clear lines of communication to your internal stakeholders (employees, partners, franchisees) so they can face questions or concerns of their stakeholders (avoid a snowball effect).
  • Don’t fall for the FUD bias! Fear, Uncertainty and Doubt. Different narratives will be pushed by external stakeholders. This is out of your control, but you can dissemble them and rebuild the narrative in a way that is objective, fact-checked, and sustained by information about the initiatives you are undertaking to address the crisis.

Notification phase

  • To the public authorities: Within 72h, your data controller must inform the regulator (as per GDPR). Even if you are not in a position of complete knowledge, the public authorities want to be notified and receive staged notifications.  
  • Tell your partners: Beyond GDPR, it is often a contractual obligation to let your partners know, and very often this condition is being overlooked by companies that can be liable for prosecution.
  • Inform your clients (affected data subjects): If harm has been done, you need to mitigate that harm by notifying the data subjects affected and telling them what you have done to contain the breach, and risk of escalation, to mitigate the harm. You can advise them to strengthen their protection or share guidance on what they might want to look out for, what they can do against fraud, etc. Example: Advising around passwords, so they are not a victim of fraud in another platform.

Overall, the principle of empathy, responsibility and accountability are widely shared values worldwide and will be assets in communicating about a data-breach crisis, regardless of the jurisdictions. Help your stakeholders understand what you are doing and why you are doing it, how it is going to be fixed. In the case when you are unsure about the end liability, it is better to err on the side of taking more responsibilities, than taking too little. 

Evaluation process

Once you have forensically captured all the information you could capture, it is strongly advised to sit down with the management and breach management team to review the protocols at a later stage.

It is a “best-effort” obligation to develop best practices within the company and be better at predicting and handling unpredictable situations in the future.

More information about crisis management?

Are you all well prepared to handle a cyber crisis or a data breach? Do you need advice in developing a solid crisis communications plan? Our Account Director Marion sheds light on the four most critical phases of preparing and implementing such a programme to protect your reputation. She will be happy to help. Click here to contact us.

Share this resource
Hague corporate affairs logo

Receive our latest insights

Or follow us