What to do when you’re facing a data breach crisis
Privacy - more than meets the eye
No one knows when a turn of events, such as a data breach, will put your organization under pressure. But if you are well prepared, an incident might not become a crisis. In fact, it could be a chance to show your stakeholders the best your organization can deliver.
Fearing a crisis
The thought of a crisis can be quite intimidating. Some organizations have even banished the word ‘crisis’ and prefer to call it ‘issue management’ or ‘situation management’, just to stay away from any negative connotations. They fear that once a crisis appears, they can’t do anything about it.
Readiness, resilience, and character
Yet a crisis need not be scary at all. It is a moment of truth that tests your organization’s readiness, resilience, and character. It can make you stronger, call your attention to matters that need improvement, and it might actually be a chance to show your stakeholders that you are in control and that you make the right decisions, even in times of crisis. Also, if you have paid enough attention to preparing for a crisis, and your people know what to do and who to call, everyone will keep calm and act appropriately. Even if it happens on a Friday night or during the weekend – which it always does.
The first step in crisis management
At Deloitte, we believe that many crisis situations are actually badly managed incidents. If you are well prepared, you will know what the risks are and how to deal with certain types of incidents – such as a data breach. So how can you prepare your organization for a crisis? First of all, it is important to appoint someone who will manage an occurring crisis situation and who has the authority to do so. This should preferably be someone close to the Board. Someone who is trusted by the Board to take the appropriate decisions. The last thing you need in a crisis is confusion about who is in charge.
The second step in crisis management
Second, you need to organize escalation and notification within your organization. Whenever something happens that might lead to a potential crisis, this information must immediately be available to the manager in charge. Therefore, all internal communications should be organized well. Make sure processes and a protocol are in place, so everyone knows what to do and who to notify. Externally as well: who should report the incident to the relevant authorities? After all, the first hours in any crisis situation are crucial, since there is still an opportunity to stay in control.
The third step in crisis management
The final step to a well-prepared organization is practice. Everyone involved in dealing with a crisis needs training, so they learn how to act under high pressure in different scenarios.
Core business related or not?
Many organizations know to a large extent how to deal with a crisis. They know what they should do, but not how to do it. They lack the experience and structure to organize the right group of people who are authorized to make the necessary decisions at the right level. Also, many businesses are well prepared for incidents related to their core business – it has become part of their organizational DNA. But when there is a crisis that is related to e.g. privacy – such as a data breach – they find out they are not that well prepared.
Order and structure
Still, that is not the end of the world. The Deloitte Resilience & Crisis Management team is frequently called in when a crisis is already nearing its peak. What we do then, is create order and structure, and make sure that the right topics are discussed at the right time. All the time. So that the people in charge can make decisions within structured situations. Afterwards, we report on what went well and on improvement opportunities – the lessons learned, or help you structure any legal implications, such as claims handling.
Of course, we can do more. We can help you build a crisis function and train your people, from practicing detailed processes at an operational level to supporting strategic management decision making. We can organize simulations and make your organization experience what happens and how to manage in a crisis.