When helping companies respond to data breaches, I’ve been surprised at how often we have to remind our clients to provide essential information to their own employees. Even more shocking is that sometimes managers push back on our recommendation to do so.
Their rationale is understandable, but flawed. The company is embarrassed that they have been hacked, or have otherwise exposed personally identifiable data. They are prepared to notify those individuals whose information may have been impacted, and to comply with regulatory obligations, but they desperately hope to limit the visibility beyond that. And, they certainly don’t want their employees out there speculating about their incident with clients, customers, partners, or other stakeholders.
Fears range from well-intentioned employees “oversharing” with customers and creating unnecessary concerns or alarm, to excessively chatty staff creating liability by speculating or sharing inaccurate information with outsiders. Some anxious mangers decide that it’s best to limit all information to a tight group and empower only a few individuals to say anything at all.
Here’s the problem with this approach – it sounds good in the conference room, but doesn’t fly in the real world. What happens when someone who receives a notification letter ignores the toll-free number provided as a resource and simply calls the company switchboard with their question? Or, if your incident is reported in the media or discussed at length on Facebook or Twitter, and hundreds of customers walk into your retail stores and demand to know what is going on? Or, maybe a major business partner calls their relationship manager at your company looking for answers about how the incident might affect their interests? If your employees answer, “I haven’t heard about that,” or, “No one has told me anything,” or, “I’m not allowed to talk about that,” your situation could quickly go from bad to worse.
Our advice is to carefully consider what information your employees may require for the roles they play in your company, and to arm them in advance with only as much as they will need to handle what may come their way. The answer might be as simple as, “I apologize for any inconvenience or concern, but can confirm that our systems are now secure and no financial data was exposed as a result of this incident. If you have other questions, we’ve set up a call center, which is the best place to get the most current and accurate information.”
This type of communication doesn’t necessarily lead to increased risk, because you don’t have to share sensitive details, and you can wait to communicate internally until immediately before information is shared externally. However, it just makes sense to prepare your employees for the realities they may face. Consider the alternative – if you don’t provide some simple direction to your employees, then you are leaving it up to them to improvise on the fly when they get put into an uncomfortable situation by an outsider seeking information. Providing practical guidance in advance is simply good for your employees and for your business.