It’s not the kind of number you want to see increase. Unfortunately, 2014 saw a nearly 30 percent jump in data breach reports in the U.S. alone. Some companies have communicated effectively with their stakeholders, while others have failed miserably. Moreover, those failures have a significant cost in revenue, profitability, and reputation, in addition to the hard IT costs to beef up security.


According to the Identity Theft Resource Center (www.idt911.com), in the United States in 2014 there were a record 783 breaches reported, with more than 85 million records exposed. According to the ITRC, more than 42% of data breaches occurred in the healthcare industry. Business breaches accounted for 33% of the incidents, but a startling 79% of records stolen. Government/military accounted for 11.7%, Education 7.3%, and Banking/Credit/Financial 5.5%.


A global study conducted by the Ponemon Institute (www.ponemon.org) for IBM noted the 2014 average cost paid for each lost or stolen record containing confidential information is $145.00, a 9 percent increase over last year. The report also noted that breaches of 10,000 records or fewer are far more likely than a mega-breach. Yet using these statistics, a breach of say, just 5,000 records can cost a company as much as $725,000. That’s nothing to sneeze at.


The lesson for organizations is to consider a breach likely and to plan ahead. If your business maintains employee, customer, donor or patient records containing confidential information, or if you accept credit/debit cards or do business online, you should have a crisis communications plan.


As part of the crisis communication plan, we recommend including data breach as a possible scenario when preparing for the most likely crisis events. As part of the planning process, we urge clients to develop talking points ahead of time and vet them with legal and senior management. By having at least that first statement ready to go at a moment’s notice, pre-approved, the company avoids the costly delays that can occur when there is no plan to communicate with customers and other stakeholders when a breach occurs.


Once the crisis plan is approved, take the time to run a simulation exercise to assure that it works as designed. We design and deploy custom simulation exercises for clients to help them fine-tune their crisis plan and fix any gaps that are found, while practicing in the safe environment of the simulation.


Don’t let your stakeholders first hear about the breach from anyone but you. Companies should be prepared to notify customers before they have all the facts. Data breach investigations can take months, but customers will quickly take their business elsewhere if they feel that their data have been exposed for too long without notification. Commit to sharing what you know as soon as possible, and to providing regular updates. Acknowledge that the situation may change, and update all audiences when it does.


As the crisis unfolds, it’s important to take ownership of the problem and acknowledge responsibility for the breach. Avoid trying to lay blame on a vendor or employee until all the facts are known. Don’t play the victim. Even if a crime has been committed against your company, the court of public opinion will not consider the company a victim. Express regret and talk about the steps being taken to assure the problem is fixed. Don’t forget to follow up when more information is available.


There is much more that we can say about the value of a plan. The investment you make in a crisis communications plan will pay for itself quickly when the inevitable occurs. It is always easier (and less costly) to prepare and prevent, than to repair and repent.