See All Posts

Review of a Solid Data Incident Response

Recently TVP Communications had the distinct honor to work with an institution to communicate a potential “data incident” on campus. I’m not going to reveal the name of the institution (they know who they are!), but I do want to give them kudos for the way in which they handled the situation.
What most impressed me was that they embodied transparency and leadership at every step:

  • The institution wasn’t legally obligated to take as proactive of an approach as they did, but the leadership insisted it was the right thing to do.
  • They shared the details of what happened, but never threw any staffer under the bus. If anything, they took responsibility themselves even if their culpability was a stretch.
  • The leadership of the institution supported each other in the roll out regardless of titles or areas of responsibility.
  • The key communicators were able to find the balance between sounding like themselves and communicating the technical and legal nuances.
  • They are enacting change to keep data safer in the future and live up to expectations, but they never went as far as saying they “guaranteed,” “ensured,” or “promised” it would never happen again. As we all know, that means it is a matter of time before there is a repeat.
  • They monitored social media carefully and proactively responded to each and every question raised online– especially those that included anxiety or concern by those potentially impacted.

Many of the bullets above are obvious tenets of a solid crisis communications approach. Having said that, we spend a lot of time reminding leaders across the industry to step up, take responsibility and do the right thing(s). In this situation, the administration took those steps without being prompted or asked.
There were a number of lessons learned from that specific situation that you may find helpful, including:

  • Have solid legal counsel at your fingertips. In this case, representatives from the court of law and the court of public opinion worked well together. So well, in fact, that we weren’t afraid to press each other on our approaches to ensure the institution got the best advice possible.
  • Know the specific language you must use in a number of states to comply with their data breach laws/acts and be aware of the reporting hurdles in a handful of states.
  • If the data accessed belongs to minors, know that there are additional steps you must take to inform their parents of the incident. This is a gentle reminder to record parent information, too.
  • If you hire forensic investigators, make sure they can explain in layman’s terms what they found/didn’t find and what it means.  And, if they don’t speak in terms you understand, be sure to ask questions. If you don’t understand the situation you can’t communicate it to others.
  • The clock is ticking if data has been put at risk. Know what your state’s/the federal timeline for reporting looks like and share it as often as possible with the university’s cabinet. In this case, the communications team was brought in early to help with a situation that didn’t require immediate notification. Not all of our peers are as lucky.

Finally, institutions should heed advice to take cyber attacks seriously, but don’t forget that many data based situations on campus are the result of human error. Nobody has found a way to eliminate humanity in the workplace, so ensure your planning includes triggers for mistakes as well as malicious events.