News of companies facing crises is plentiful and without a response plan, the impact could be catastrophic. Examples include Facebook's data misuse, Starbuck's diversity missteps, Boeing's 737 Max and the recent news of Microsoft's exposure of 250 million private records on the internet. Marriott hotels also experienced a data breach where hackers accessed information of approximately 500 million customers, comprising personal information such as home addresses, credit card numbers and more. You may not think this could happen to you, but according to Verizon's 2018 Data Breach Investigations Report, 58% of data breaches take place in small businesses. Everyone is at risk—law firms, professional service companies, tech companies and more.

The reality is, in today's digital age, this is the "new norm." When a crisis hits, such as a data breach or negative news that could damage a company, there's nothing worse than trying to figure out what to do in the moment. Here are some steps to take to protect yourself before the news vacuum is filled with speculative news:

Put a Plan in Place

Create a crisis communications plan and a data breach plan with the right people before the crisis happens. These are two different plans used for two different purposes. A data breach is an unauthorized entry point into a company's database where cyber hackers access customer data such as passwords, credit card information, Social Security numbers, driver's license numbers and other sensitive information. Crisis communication in the public relations world is when a company's reputation gets damaged by a third party through negative media, reviews, social media attacks and more.

A communications and data breach plan provides a road map to follow when something goes wrong. In these plans, it is important to appoint key employees with responsibilities and test the plan, the security controls and key systems often. Outline the action steps for handling the breach or the negative news and map out a follow-up procedure.

More often than not, legal, technical and public relations issues arrive well before and after a crisis so it's always good to be prepared. Communicate with your employees about the importance of cybersecurity and stress that everyone has to be diligent. Get employees used to it now and share appropriate parts of the plan.

Offer Training

Make sure you have the right people in place who are best suited to handle a crisis and have spokespeople assigned. These individuals may not always be the same key players that are appointed to many other committees and tasks. The general rule is that one size does not fit all here. Everyone has different communication styles and knowledge based on their longevity, meetings, line of work and so on. It is a good idea to choose the right people and also have backup. For instance, if you are trying to determine how a data breach occurred, a data security employee should be working on this. Or if you have to notify the insurer who issued your cyber liability policy, your risk management employee or contact should take charge. This group needs to be trained by public relations professionals who work with breaches and the media every day.

React Quickly

When a crisis hits, time is of the essence. Typically, there's a small window of time that can make or break your strategy and public image. Teams must meet immediately and respond quickly to prevent rumors from spreading, and revisit their plan to educate employees, clients, investors and the media. The first 24 hours are crucial as you work on your response, monitor the flow of news, answer questions and issue statements including "we are working on learning more about the situation, and we will respond to you quickly." In some industries, there are time requirements for reporting data breaches.

Remain in Control and Stay Knowledgeable

It's always a good idea to remain in control of a crisis as best you can. Aim to respond before others do. It's also equally important to not lead blindly. Collect the data first to make sure you have the right information. Understand what happened, who is involved and how it escalated. It will be in your best interest to be the first to communicate with your employees, top influential clients. Journalists, investors and law enforcement if appropriate.

Communicate, Communicate, Communicate

As time passes, continue to communicate publicly about what you learned and what you are doing now to improve the situation. Reassure your employees and your clients. Be as transparent as possible to gain trust and make sure that employees and key members of your company are provided with ample time to ask questions. Also they should be armed with the right messaging, so they know how to respond and advocate to make the company stronger.

Debrief

Once the data breach or negative news has been contained, spend some time debriefing with your response team. Ask each member of your team to run through all the steps and talk about the lessons learned and anything they found interesting or they would do differently. Based on this conversation, adjust the plan accordingly.

Always remember, history has a way of being rewritten. You can control how the final chapter is written—so long as you have a response plan in place and you are fully prepared.

Dave Poston is a licensed attorney and CEO of Poston Communications, a national crisis, content and PR agency with offices throughout the United States. He may be reached at [email protected].  

Ioana Good serves as vice president at the firm. Additionally, she is the co-chair of the LMA International Professional Advocacy Group and the LMA International Communications Group. She may be reached at [email protected].