Moving beyond template-based notifications

How to identify your gray area stakeholders for more effective incident response communications.

Android Notifications
cheskapoon, modified by IDG Comm

When it comes to incident response, there is no one-size-fits-all approach. Every company, every incident, every regulatory framework looks different and has different characteristics and requirements. With all these variables at play, it stands to reason that no two responses are ever going to look the same.

So why do companies insist on using the same notification processes and templates to communicate after every incident involving a data breach?  

Too many incident response communications plans start and stop at “draft notification letters using the prepared templates.” On one hand it makes perfect sense. In that moment, with so much to do, it is tempting to check the box and save time and money. The problem is, that approach not only oversimplifies the legal notification requirements, it completely ignores the fact that you might have a legitimate business interest in communicating with other groups – the gray area stakeholders. Aptly named because the decision to inform them isn’t as black and white as legally required notifications.

By utilizing notification templates more effectively, and broadening communications plans to account for gray area stakeholders, organizations can improve their overall incident response communications efforts and take a major step toward maintaining stakeholder trust and mitigating the long-term impact of a cyber event.

Deciding who to notify

One of the most fundamental elements of an incident response is the question of who should be notified. The answer is informed by a multitude of factors, but essentially breaks down into two categories – groups you are legally required to notify and everyone else. The latter is referred to as “gray area stakeholders,” because although there isn’t a legal requirement to inform them, common sense and smart business calculations say you should consider it. This list could include such varied groups as business partners, sales teams, media, the Board of Directors, affiliated organizations, unaffected customers, etc.

Navigating this decision-making process is just the first step to successfully communicating after an incident. How well you execute on your decisions can also have major implications for the outcome of an event.

Legally required notifications

For legally required notifications, it can be a challenge to figure out who needs to be reached and in what timeframe.  The requirement to notify victims of a data breach vary wildly by geography, industry and categorization of data. Do you operate in financial services, healthcare or retail? Maybe you’re a defense contractor? Do your customers reside in California or Europe? Or do you hold social security numbers or credit card information? The patchwork quilt of regulations governing who, when and how you send breach notifications covers such a wide range of scenarios, that it can be difficult to keep them all straight, much less stay fully compliant.

This is where having pre-drafted templates – and a really good legal advisor! – can pay off. Particularly when there are large numbers of notifications to send, something resembling a form letter can save significant time and money. I like to refer to them as the Mad Libs of the cybersecurity world. When an incident occurs, you just select the appropriate letter template, plug in the corresponding nouns and verbs, hit send before time expires, and boom! You’re compliant.

Templates can be a great time saver, and that is reason enough to warrant the time spent on preparing them. Unfortunately, if it was that simple, we wouldn’t see so many headlines slamming terrible communications efforts from companies who have been breached.

While the specific information you are required to disclose, and the timeframe within which you do it, will be determined by the applicable legal standards, the way in which you communicate is often up for interpretation. Too often, notification letters end up resembling legal text, rather than customer-facing communications. This can leave recipients feeling confused and detached from your organization, clearly not ideal for long-term relationship management. Time should be spent on the messaging and delivery of even the most basic notification letters. As the saying goes, “it’s not what you say, it’s how you say it that matters.”

Bottomline, templates aren’t foolproof, and they have to be written appropriately to provide maximum benefit to your organization.

A good incident response communications plan won’t stop there, however. It should also evaluate the question of whether, and how, to inform any of your gray area stakeholders.

Gray area notifications

Good cyber security programs are increasingly emphasizing organizational resilience, an outcome that is dependent on the resiliency of your reputation and trust among key stakeholders. While it may seem counterintuitive to voluntarily talk about a cyber incident, protecting your organization’s reputation requires you to do so.

When data is lost, decisions will have to be made about which of the gray area stakeholders need to be informed. A well-crafted incident response communications plan, one that includes a good stakeholder analysis, will provide the objective information necessary to inform this decision.  

A stakeholder analysis can take many forms, but in this context, it acts as a referral guide to the interests, priorities and means of communicating with each of your stakeholder groups. As part of the incident response planning process, a stakeholder analysis is built by identifying each group with an interest in your organization, and then identifying what types of information they prioritize and what impact different breach scenarios could have on their relationship with your organization. This information is collected into a reference guide that allows you to navigate the question of whether to inform a specific group based on clear, objective information, a welcome change in the immediate fog of a data breach response.

This is where gray area notifications really earn their name, however, because there is no right or wrong answer. The decision about who to inform is based on business objectives and priorities of your organization and each individual stakeholder group, as well as the specific characteristics of the incident. The stakeholder analysis feeds quality data into that decision-making process, but someone still has to make the call – and reconsider it frequently as new information becomes available about the scale and scope of the event.

Despite the obvious benefit of enabling objective decision-making in the middle of an otherwise subjective response process, too many organizations still neglect to invest the time and resources into developing a full stakeholder analysis as part of their incident response communications plan.

As with everything in cybersecurity, incident response communication is an exercise in risk mitigation. Figuring out who you are legally required to notify is a challenge, but once you identify those groups, notification templates can prove quite valuable – when used correctly. However, that can’t be where your communication strategy stops. The stakes are just too high.

Acknowledging the existence of gray area stakeholders and incorporating a comprehensive stakeholder analysis into your planning process, can not only save you a slew of unintended consequences, but it can actually help strengthen your stakeholder relationships in the long-term and increase your organizational resilience in the face of future cyber events.

This story, "Moving beyond template-based notifications " was originally published by CSO.