The First Few Minutes, Hours and Days: Top Tips For Crisis Planning
We look back at our free Acuity Law Planning For A Crisis webinar, recapping top tips for safeguarding your integrity and reputation when a crisis hits.
Today’s companies must be mindful of their impact – not only on the bottom-line and shareholder returns, but on our environment and society. With a stakeholder group potentially comprising the world at large, staying on top of both economic and societal risks means that the spectre of getting it wrong – and the resulting business and reputational damage – can loom large.
Our recent Acuity Law webinar, run jointly with pervasive PR experts Effective Communication, took the example of a data breach, and considered the dos and don’ts of containing the fallout.
“There is a DNA to any crisis, especially in terms of the PR aspect”
What is clear is that crises hit hard and fast – and if you wait until the chaos of a data breach (or any company emergency) to start planning, you’re already too late.
“I had a business owner in tears because they just couldn’t believe how quickly a crisis moves,” says Alastair Milburn, founder at Effective Communication.
Like every crisis, all data breaches are not equal in terms of severity, risk, impact and potential cost to your business. But there are some take-aways that apply across the board – and they all involve planning your response in advance to save time when disaster strikes.
“There is a DNA to any crisis, especially in terms of the PR aspect,” Alastair explains.
Here we unravel some of that DNA, to help your business prepare for when the worst happens.
Share the load
Given the 24/7 nature of today’s business world – with cross-border and remote working often the norm – there is a strong likelihood that a crisis will occur outside of the 9-5. This makes preparation all the more important if you want to avoid a 2am scramble when the phone rings.
A key aspect of this is a simple crisis protocol pack, sitting alongside business continuity plans and disaster recovery plans. This document should detail the names and roles of the people who will deal with each aspect of the crisis, including key media and PR contacts, and their contact information. Importantly, the document should also contain social media login information.
Who should be involved? Every business (and every crisis) will be different. But consider including HR, Sales, Marketing, PR, Operations and, obviously, in the case of a data breach: IT.
In addition, think about when a crisis becomes a board issue, and set out what signoffs you may need, as well as any external advisors, be they lawyers, PR or IT specialists.
Prepare statements well in advance
Prepare an initial holding statement of one-to-two paragraphs, saying something like “We’re on it; we’ll comment later.” This allows breathing space while key people in the business deal with the events unfolding.
But you don’t need to be restricted to just one: you can create multiple statements to cover different eventualities.
“The more you have in your back pocket the easier to focus on the crisis in hand and the media,” says Alastair.
Ready-to-go statements need to sit within the crisis protocol pack.
Identify who has been impacted by the crisis
Identifying the potential harm to individual data subjects is essential when deciding whether a data breach is reportable to the regulator, for example, the UK Information Commissioner’s Office (ICO). This decision must be reached quickly – the deadline for reporting a breach to the ICO is 72 hours from discovery and failing to do so could mean a fine of 2% of global annual turnover, or £8.7 million (whichever is higher).
“Speed is critical,” says Acuity Commercial and Technology partner Declan Goodwin.
He adds: “It’s also worth bearing in mind you could be fined twice – once for the actual breach, which is 4% of global turnover or £17.5 million (whichever is the higher of the two) and again for failing to report.”
You might also need to notify others – such as counterparties or the data subjects themselves.
Understanding the injury ecosystem is also crucial when creating scenarios to strategically manage the legal and reputational risk.
- Does the breach involve customers or clients?
- Are customers or clients aware of the breach?
- Is news of the breach likely to reach the public domain via social media and press?
- Do you have a contractual obligation to notify third parties who might be affected? It might be necessary to conduct a contract review and log any obligations to third parties to mitigate the risk of a claim.
Engage appropriately with media and social media
If the nature of the breach is such that it is likely to hit the news or social media, consider whether you can actually use this to your advantage by getting there first and controlling the narrative.
Nominate a gatekeeper to monitor media and social media. This person should address concerns about what has happened, correcting factual inaccuracies without getting engaged in (usually unwinnable) social media battles.
Identify the key stakeholders that you need to engage with directly. These could be politicians, sector organisations and so on. But focus on dealing with those vital stakeholders, rather than getting distracted by a social media skirmish.
For traditional channels, media training is strongly recommended for both the chief executive and their deputy – because although the boss might not always be the best person to go in front of the camera, in a crisis they may have to. If they are not available, there will need to be a fully prepared stand-in.
“It’s about being transparent and open about what has happened: how you have dealt with it and what you learned from that”
Above all, even in the midst of the crisis, is not to bury your head in the sand.
“People often say to me that they don’t want to say anything. The two words: ‘No comment’ immediately create suspicion,” says Alastair.
Aisha Wardell, Litigation partner at Acuity Law, and key contact of Acuity Reputation Management agrees that transparency is essential when managing a difficult situation:
“You cannot stop a crisis from happening, it’s part of the business world, particularly with data, social media and the way we use tech. But it’s about being transparent and open about what has happened: how you have dealt with it and what you learned from that,” she explains.
Crucially, all information put into the public domain should be approved by the Legal team, to avoid creating future issues.
Align strategy and tone
As you and your Legal team consider the types of approaches available, you can match the tone of messaging to the legal strategy for handling the crisis.
“Are we going to be quite defensive and defend and say there’s been no loss, it’s been contained and so we’re not going to pay compensation?” asks Aisha.
“Or do we have a more conciliatory view with our clients and customers, does that fit within our social responsibility and our client care policy as a business? Do we look to try and settle with those individuals and include confidentiality provisions?”
Once you have understood your obligations, you can match the message to the business strategy, mitigating the time and cost associated with claims arising out of a breach – or any crisis situation.
Adds Aisha: “We can deal with these things shortly after and focus on speed, but really the plan needs to be put in place before the crisis has happened, and if we’re able to do that, the cost and time is significantly reduced.”
After the storm has passed, debrief
When business as usual has resumed, it’s important to review the crisis PR and communications process to identify how you did – and what lessons you need to learn.
How can Acuity help?
Devising a functional and effective crisis plan might seem like a hefty – and daunting – task. But an audit and follow-on plan can be done simply, tailored to the risk areas and size of the business.
Acuity Reputation Management offers a flexible service, understanding your needs and breaking down your crisis to-do list into bite-sized chunks, from which you can choose where you want to focus.
What to do in a data breach
Note: these phases may need to take place concurrently.
- Locate the breach
- Stop the breach
- Assess the breach and determine whether it should be reported to the regulator
- Review contractual obligations and report breach to relevant counterparties
- Determine whether it is necessary to notify your insurer
- Document this process so that there is a record of the outcomes and all decision-making should the breach be subject to regulator scrutiny
- Consider contacting Acuity Law for a data breach impact assessment
Find out more about Acuity Reputation Management here.
Watch our full Planning For A Crisis webinar here.
Check out our ESG page here.