Crisis Communications

Crisis Communications: Best Practices for Managing a Data Breach

By Sandra Fathi | On September 6, 2019

In today’s digital age, private information is becoming more accessible and vulnerable to hacks and data breaches. Companies of all sizes need to be prepared for potential threats, both behind the scenes and in the public eye. For incidents like Capital One’s data breach, an effective crisis communications plan is needed to keep customers – of more than 100 million records – up to date on the status and progress of the situation. 

CEO’s need to assume their company will fall victim to a data breach at some point and must be prepared to communicate with stakeholders if an incident occurs. Ideally, a crisis communication plan should always be developed and readily available prior to any potential attack. As a reminder, here are some best practices when responding to a data breach:

  1. Don’t delay: Having communications materials ready in advance is extremely helpful when dealing with a high-pressure and fast-paced situation. This prevents any unnecessary wait time in making a statement to your employees, stakeholders, affected parties, and the general public. 
  2. Acknowledge the situation: Notify all relevant stakeholders and customers stating the details of the situation, who was affected, and an intended remedy method. Be sure to follow each states data breach notification laws to stay compliant.
  3. Acknowledge impact and victims or potential victims: State the information that was compromised and confirm commitment to taking corrective measures.
  4. Be transparent: Commit to investigation and sharing information and cooperation with relevant parties.
  5. Share corrective action plan if available: This involves developing a full response plan inclusive of policies and procedures to reassure stakeholders.

Understanding these key steps when dealing with a data breach crisis is one part of managing a crisis, strategically executing these steps is where you need support. At Affect, we’ve supported many clients through a variety of security crisis situations – if you are interested in learning more about preparing a full crisis communications plan or conducting a crisis communications simulation, please reach out to me at

Sandra Fathi

Sandra Fathi is President and Founder of Affect, a public relations and social media agency. She is also the current PRSA Tri-State District Chair. Sandra has spent the past 20 years helping technology companies achieve their communications goals. Prior to founding Affect in 2002, Sandra led corporate communications and investor relations for RADVISION, a provider of video conferencing infrastructure products.