Cyber Attacks Are the New Normal, Be Prepared to Respond
News of companies facing crises is plentiful and without a response plan, the impact could be catastrophic.
February 06, 2020 at 11:45 AM
6 minute read
News of companies facing crises is plentiful and without a response plan, the impact could be catastrophic. Examples include Facebook's data misuse, Starbuck's diversity missteps, Boeing's 737 Max and the recent news of Microsoft's exposure of 250 million private records on the internet. Marriott hotels also experienced a data breach where hackers accessed information of approximately 500 million customers, comprising personal information such as home addresses, credit card numbers and more. You may not think this could happen to you, but according to Verizon's 2018 Data Breach Investigations Report, 58% of data breaches take place in small businesses. Everyone is at risk—law firms, professional service companies, tech companies and more.
The reality is, in today's digital age, this is the "new norm." When a crisis hits, such as a data breach or negative news that could damage a company, there's nothing worse than trying to figure out what to do in the moment. Here are some steps to take to protect yourself before the news vacuum is filled with speculative news:
|Put a Plan in Place
Create a crisis communications plan and a data breach plan with the right people before the crisis happens. These are two different plans used for two different purposes. A data breach is an unauthorized entry point into a company's database where cyber hackers access customer data such as passwords, credit card information, Social Security numbers, driver's license numbers and other sensitive information. Crisis communication in the public relations world is when a company's reputation gets damaged by a third party through negative media, reviews, social media attacks and more.
A communications and data breach plan provides a road map to follow when something goes wrong. In these plans, it is important to appoint key employees with responsibilities and test the plan, the security controls and key systems often. Outline the action steps for handling the breach or the negative news and map out a follow-up procedure.
More often than not, legal, technical and public relations issues arrive well before and after a crisis so it's always good to be prepared. Communicate with your employees about the importance of cybersecurity and stress that everyone has to be diligent. Get employees used to it now and share appropriate parts of the plan.
|Offer Training
Make sure you have the right people in place who are best suited to handle a crisis and have spokespeople assigned. These individuals may not always be the same key players that are appointed to many other committees and tasks. The general rule is that one size does not fit all here. Everyone has different communication styles and knowledge based on their longevity, meetings, line of work and so on. It is a good idea to choose the right people and also have backup. For instance, if you are trying to determine how a data breach occurred, a data security employee should be working on this. Or if you have to notify the insurer who issued your cyber liability policy, your risk management employee or contact should take charge. This group needs to be trained by public relations professionals who work with breaches and the media every day.
|React Quickly
When a crisis hits, time is of the essence. Typically, there's a small window of time that can make or break your strategy and public image. Teams must meet immediately and respond quickly to prevent rumors from spreading, and revisit their plan to educate employees, clients, investors and the media. The first 24 hours are crucial as you work on your response, monitor the flow of news, answer questions and issue statements including "we are working on learning more about the situation, and we will respond to you quickly." In some industries, there are time requirements for reporting data breaches.
|Remain in Control and Stay Knowledgeable
It's always a good idea to remain in control of a crisis as best you can. Aim to respond before others do. It's also equally important to not lead blindly. Collect the data first to make sure you have the right information. Understand what happened, who is involved and how it escalated. It will be in your best interest to be the first to communicate with your employees, top influential clients. Journalists, investors and law enforcement if appropriate.
|Communicate, Communicate, Communicate
As time passes, continue to communicate publicly about what you learned and what you are doing now to improve the situation. Reassure your employees and your clients. Be as transparent as possible to gain trust and make sure that employees and key members of your company are provided with ample time to ask questions. Also they should be armed with the right messaging, so they know how to respond and advocate to make the company stronger.
|Debrief
Once the data breach or negative news has been contained, spend some time debriefing with your response team. Ask each member of your team to run through all the steps and talk about the lessons learned and anything they found interesting or they would do differently. Based on this conversation, adjust the plan accordingly.
Always remember, history has a way of being rewritten. You can control how the final chapter is written—so long as you have a response plan in place and you are fully prepared.
Dave Poston is a licensed attorney and CEO of Poston Communications, a national crisis, content and PR agency with offices throughout the United States. He may be reached at [email protected].
Ioana Good serves as vice president at the firm. Additionally, she is the co-chair of the LMA International Professional Advocacy Group and the LMA International Communications Group. She may be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Insurer Not Required to Cover $29M Wrongful Death Judgment, Appeals Court Rules
- 2Slideshow: Jewish Bar Association of Georgia Marks 1st Year With Hanukkah Party
- 3Holland & Knight Launches Export Control Disputes and Advocacy Team
- 4Blake Lively's claims that movie co-star launched smear campaign gets support in publicist's suit
- 5Middle District of Pennsylvania's U.S. Attorney Announces Resignation
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250