Problem solve Get help with specific problems with your technologies, process and projects.

How to talk to executives after a data breach

In the wake of a data breach, how do you know when to talk to executives, and, more importantly, what to say? In this expert response, learn how to talk to executives after a data breach.

What are some best practices for communicating with executives during and after a data breach? How often should they be briefed, and is there any specific information you'd suggest leaving out or being sure to include?

The short answer is: It depends. The long answer is: When you communicate and how often you communicate will be different for each organization. This sort of communication process should be built in to your organization's business continuity/disaster recovery/incident response (BC/DR/IR) process. A data breach is no different from any other incident that may require executive notification. Timing will depend heavily on the size of the breach, when it was discovered, whether it's hit the media and any number of other particular business concerns.

If this sort of communication plan isn't already part of a larger BC/DR/IR program, sit down with the enterprise's legal team and HR department (at bare minimum) as well as with the CIO and corporate communications team to assemble a basic plan. The other members of the team will have had past experience communicating similar issues to the C-suite and should have great feedback on when and how to notify them. Once you have a rough plan that everyone is happy with, you or another member of the team can present this plan to the rest of the C-suite for their feedback. At this time, you'll get a much better feeling from the executives about when they want to be notified and how much detail they want. This will probably take a few iterations to get right. And don't be surprised when you have to make changes to the process after the first incident.

For more information:

  • Also, learn how to get information security buy-in from the executive team.
  • Security breach planning and preparation are essential. Read more about them.
  • This was last published in September 2009

    Dig Deeper on Information security program management

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.