How to inform internal teams of a data breach

What is the best way to tell your internal teams that your company has had a data breach? A data breach isn't unlike any other public relations debacle. Like any crisis that needs a public relations strategy and a game plan, it needs to be well thought out and executed with finesse. Unfortunately during all this, your company faces reputational harm, deadlines, and client, consumer, and media backlash.

For your internal teams, gather your decision makers and be transparent with what you do and don't know about the breach. Discuss what is being done and the plans in place. Bring in legal and human resources to provide input on the decisions being made. Assuming your information technology (IT) team is already involved and doing their job to fix what may have been broken, whether it was a break-in or a hack, make sure you keep everyone on the same page. I have found that communication is KEY in instances like this. If you aren't communicating well, right from the beginning, you will have half the company moving in one direction, poor decisions being executed, and your right hand won't know what your left hand is doing. Also remind your teams to keep information confidential as you work through forensics and put the pieces together.

I have seen too many companies want to send a company email to explain the data breach. This can be a very bad company decision. Unless your employees were all affected, I would highly recommend against this. Rumors begin this way. People begin to talk and ask immediate questions, which then starts the telephone and "what if" game. Your best intentions email will often be forwarded to an employee's friend or family member. That friend or family member then forwards the email and so on and so forth. (Not pretty.)

Yes, definitely tell your company what happened, but tell them during a company forum. Tell them face to face where they are able to ask questions. Let them voice their concerns and let you explain how the company is working through this incident, how people are being cared for, and the changes that are being made.

A couple pieces of advice from someone who has seen the good and bad decisions made while a company works through a data breach.

1. Don’t rush and don’t panic. When we rush we can often make quick, irrational decisions.
2. Don’t make emotional decisions. (same as above)
3. Keep to the facts.
4. Don’t play the hypothetical game.
5. Be transparent and avoid rumors.
6. Be very leery of email notification.
7. Keep the initial information on a need to knowbasis as you gather all the evidence.
8. Dedicate your main decision makers. Keep the key people involved and make decisions as a group. Even the smallest decision can affect the final outcome.
9. Avoid too many cooks in the kitchen. Too many people making decisions can become very problematic and tiresome.
10. Remember you are a team and you are protecting the company. Too often employees become worried about themselves and the politics involved.
11. Avoid politics during decision making. Same as above, when politics are involved, bad decisions can be made.
12. Remember State and Federal guidelines when making decisions. If under HITECH, you will most likely be investigated.
13. Document everything. Every decision should be documented, no matter how small. This will be vital years from now.
14. Keep your door open- People will continue to have questions and concerns. Be ready for them. Don’t think that because the incident was five months ago that questions won’t come up and you won’t have to deal with them…again.
15. Take the high road- Don’t backlash against people that attack you or the company. Always take the high road and save face.
16. Smile through it all and remain the leader. This too shall pass.
17. Again, don’t rush and don’t panic. Take the time to make sure everyone is in the car before you drive off and make sure you have a map.