The cybersecurity breaches this month of Equifax and Deloitte—both firms that tout the value of their data and security acumen—show that no company is immune to hacking.
But there is one thing that smart companies can do, both before and during a breach, and that is to develop and deploy an appropriate narrative when a security disaster strikes. That narrative needs to hew to the facts, take into account the known unknowns, and appeal not to shareholders or the press but to customers and regulators. Done right, these statements can differentiate between a recoverable data breach and a cybersecurity-related corporate disaster.
What makes this so difficult for companies and CEOs is that the right response often goes against all they’ve learned about positioning the company. Let’s dissect those impulses.
- Shareholder value is intact. A company sees shareholders as its most important constituency and wants to reassure them. Actually, you have no idea the impact on shareholder value, because you have no idea the full extent of the breach, how the market will receive it, and how customers and regulators will react. Incorporating this concept into any narrative is ill-advised at best.
- We have this under control. Company leaders do not want to exhibit weakness. However, as part of an initial statement, there is only a remote chance that the situation is under control. It takes time to learn the extent of a breach, both its breath, duration, and ultimate impact. Far better to say you are working with experts, regulators and consumer advocates to understand the extent of what may have been compromised, and that you are pushing forward diligently in this regard.
- We are doing all we can to mitigate the effects. Company executives often have a bias toward action. You may want to do that, but that’s impossible until you discover the scope of the data loss. Regulators are not interested in immediate solutions. They want to know that you are doing all you can to learn about the situation, not the specifics about the Band-Aids or tourniquets. They want to know your long-haul commitment.
What Should You Do?
- Get the CEO out front. This is mission-critical. Do not send a spokesperson, a PR rep or someone from IT. In a crisis, people want to hear from the leader. Be an informed leader, to the extent possible, and go public. If there are unknowns, take the brave stance and confess that.
- Don’t wait for someone to impose your narrative upon you. Take control of the podium. Don’t wait until you think you know all the facts. Construct a narrative that takes into account what you don’t know. “We have learned of a breach. We are working around the clock to learn the extent of the crime. We are collaborating with law enforcement, regulators, and cybersecurity experts to discover what has been compromised, and how best to respond to protect our clients and employees.”
- Bad news? Get it out now. It is vital to broadcast the breach not only to the outside world, but also to put company insiders on notice that this is considered an all-hands, public event. This will discourage publically damaging behavior, such as we saw with Equifax executives, including the CFO, selling stock after the breach was discovered but before it was made public.
- Publicly enlist the help of regulators. Regulators will be involved regardless. Call them in early, enlist their help, and promote your cooperative working relationship with them. There is absolutely no downside to this approach.
In this day and age, prepping your top executives and key management for a data breach should be as routine as preparing for any other natural disaster. Companies make poor decisions when the action plan is ad hoc. When you understand breaches and your chances of experiencing one and thus thoughtfully prepare, you will be better suited to respond, saving your company the goodwill and reputation it has built over years.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.