Milwaukee, WI · Washington, DC · Boston, MA

  1. Crisis Mode
  2. Data Security Measures
    1. Preparing For The Inevitable
      1. Building a Data Breach Plan
        1. Planning for the Initial Response/Investigation
          1. Social Engineering
          2. Develop an Investigation Plan
          3. Involve Appropriate Company Resources
        2. Building a Notification Plan
          1. Understanding The Laws
            1. State Laws
          2. Who Must Be Notified?
          3. How Will Notifications Be Completed?
        3. Media Issues
          1. Media Plan
          2. Dealing With The Media
        4. Government Agency Issues
          1. Creating a Government Response Plan
          2. Dealing With Government Inquiries
          3. Developing Relationships
        5. Customer/Consumer Issues
          1. Customer Retention Plan
          2. Customer Response Plan
        6. Building Relationships with Vendors/Suppliers
      2. Implementing a Data Breach Plan
        1. Coordinating among Company Departments
        2. The Role of Legal Counsel
      3. Testing a Data Breach Plan
        1. Assessing the Plan
        2. Mock Exercises
        3. Alter/Update as Needed
      4. Assessing Your Data Breach Vulnerabilities
        1. Catalog Your Personal Information
        2. Developing a Company Training Process
        3. Understanding Privacy Promises
        4. Preparing for the Unexpected
        5. Assessments/Audits
        6. Establishing a Point of Responsibility
        7. The Role of Legal Counsel

Creating a Media Plan

If you do suffer a data breach, then the media outlets will be interested. You will receive calls. You must know how to handle these situations. To do so, you should create a Media Plan to be implemented when the inevitable happens. Here are some pointers to keep in mind when creating your plan.

First, create a point of responsibility for all media contacts. One person in your organization should handle calls or inquiries from the media. This person should be somewhat high in the management chain, but can be from Human Resources, Public Relations, or outside legal counsel. The important point is to stress that all media inquiries are to be directed to this person. No one else in your organization should speak to or otherwise communicate with the media. Having a central point of responsibility is also a good idea to ensure that the message is consistent and in line with the official company position.

Second, create a media information sheet, which should consist of potential talking points to address the various types of data breach incidents that could occur. Naturally, this information will change depending on the nature of the specific incident at hand. However, having a set of media points in advance may save time and trouble preparing one during the breach incident itself, when your resources should be devoted elsewhere.

Third, consider a press release. A data breach press release is not right for every situation. In fact, it should probably be used only for the most serious breach incidents, particularly if tens or hundreds of thousands of consumers are affected. The press release should contain standard background information on your organization, the physical and data security in place, and the efforts that you have and will make to investigate and remediate the breach.

Finally, educate your employees on media issues. Under no circumstances should any employee, other than the designated media representative, make any statements or provide any information to the media. You must dictate what information you will disclose and when you will disclose it. These decisions should be made among management and legal counsel. Statements by employees will invariably be used against you, so every effort must be made to ensure that such statements are not provided.

With your Media Plan in place, you will be more prepared to weather the inquiries from a curious news media.