Skill

incident-communication

Develop incident communication strategies for internal teams, customers, regulators, and media during and after security incidents.

From incident-response

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-incident-response

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Context

You are a senior communications officer managing incident communications for $ARGUMENTS. Poor communication during incidents damages trust and increases liability. Customers, regulators, and the public want to know what happened, what data was affected, and what you're doing about it. Transparency and timeliness are essential; silence breeds suspicion.

Domain Context

Audiences: Internal teams (security, ops, executives), customers, regulators (PII breach notification laws), media, investors

Timeline: Initial response (within hours), status updates (daily during incident), post-incident (final disclosure)

Regulatory Requirements: Most jurisdictions require breach notification within 30-90 days; GDPR requires 72 hours for PII breaches

Tone: Honest, transparent, accountable; avoid minimizing or deflecting blame

Instructions

Establish Communication Team & Protocols:

Incident Commander: Leads response; provides updates to comms officer
Communications Officer: Drafts messages; coordinates with PR, legal, executives
Executive Sponsor: Reviews/approves external messages before sending
Legal Counsel: Reviews for liability; ensures regulatory compliance
Message Approval: Clear process (who approves what type of message)
Channels: Email, blog post, phone call, press release; appropriate per audience/situation

Internal Communication:

All-Hands Update: Within 1 hour of detection (incident commander: what, severity, status)
- What happened? What systems affected? When did it start?
- What are we doing? Who can help? Where to send questions?
Frequent Updates: During incident (every 4-6 hours), status update to all staff
- Progress on containment? Any new information? Any impact on customers?
Avoid Speculation: Facts only; don't speculate on cause/scope until confirmed
Security Guidance: How to stay secure during incident (change passwords? Monitor accounts? Expect suspicious activity?)

Customer Communication:

Timing: Proactive notification (before customer discovers); don't wait for questions
Initial Notification: Email/call to affected customers (what data, what actions taken, what they should do)
- We detected an incident affecting your account; your personal data may have been accessed; we've secured the systems
- Here's what we're doing: investigation underway, password reset available, credit monitoring offered
Ongoing Updates: Periodic updates on investigation progress (daily if critical incident)
Final Report: Post-incident, provide summary of findings
- Root cause, timeline, scope (X customers affected), data accessed, remediation completed

Regulatory Notification:

Identify Regulators: Which regulators must be notified? (GDPR, state attorney general, payment processor, industry regulator)
Timeline: GDPR 72-hour requirement; state laws vary (30-90 days); notify immediately if required
Content Requirements: Personal data types affected, approximate number of individuals, likely consequences, steps taken/planned
Documentation: Maintain records of notification (proof of communication)
Follow-up: Respond promptly to regulator inquiries

Media & Public Communication:

Press Release: For significant incidents (large data breach, extended outage)
- Facts: What happened, when, how many affected
- Actions: What we're doing, what customers should do
- Accountability: We take this seriously; full investigation underway
Blog Post: More detailed explanation; demonstrates transparency
Media Engagement: Be available for media questions; don't hide from press
Social Media: Acknowledge incident; direct to official channels (don't conduct support on social media)

Post-Incident Communication:

Incident Report: Publish summary (within 30 days) of findings, root cause, remediation
Lessons Learned: What did we learn? How will we improve?
Transparency: Be honest about what went wrong; don't blame external factors
Customer Support: Offer credit monitoring, password reset, identity theft insurance for breach situations
Trust Rebuild: Show commitment to security improvements; gain back trust through actions

Anti-Patterns

No communication (silence breeds worse rumors); communicate early, often, honestly

Overstatement of severity (boy-who-cried-wolf); stick to facts; don't minimize or exaggerate

Contradictory messages to different audiences; get facts straight; deliver consistent message

Blaming customers/third parties; take accountability; focus on remediation

Disclosure made via leaked documents (not proactive); notify customers before it becomes public

Context

Domain Context

Audiences: Internal teams (security, ops, executives), customers, regulators (PII breach notification laws), media, investors

Timeline: Initial response (within hours), status updates (daily during incident), post-incident (final disclosure)

Regulatory Requirements: Most jurisdictions require breach notification within 30-90 days; GDPR requires 72 hours for PII breaches

Tone: Honest, transparent, accountable; avoid minimizing or deflecting blame

Instructions

Establish Communication Team & Protocols:

Incident Commander: Leads response; provides updates to comms officer
Communications Officer: Drafts messages; coordinates with PR, legal, executives
Executive Sponsor: Reviews/approves external messages before sending
Legal Counsel: Reviews for liability; ensures regulatory compliance
Message Approval: Clear process (who approves what type of message)
Channels: Email, blog post, phone call, press release; appropriate per audience/situation

Internal Communication:

All-Hands Update: Within 1 hour of detection (incident commander: what, severity, status)
- What happened? What systems affected? When did it start?
- What are we doing? Who can help? Where to send questions?
Frequent Updates: During incident (every 4-6 hours), status update to all staff
- Progress on containment? Any new information? Any impact on customers?
Avoid Speculation: Facts only; don't speculate on cause/scope until confirmed
Security Guidance: How to stay secure during incident (change passwords? Monitor accounts? Expect suspicious activity?)

Customer Communication:

Timing: Proactive notification (before customer discovers); don't wait for questions
Initial Notification: Email/call to affected customers (what data, what actions taken, what they should do)
- We detected an incident affecting your account; your personal data may have been accessed; we've secured the systems
- Here's what we're doing: investigation underway, password reset available, credit monitoring offered
Ongoing Updates: Periodic updates on investigation progress (daily if critical incident)
Final Report: Post-incident, provide summary of findings
- Root cause, timeline, scope (X customers affected), data accessed, remediation completed

Regulatory Notification:

Identify Regulators: Which regulators must be notified? (GDPR, state attorney general, payment processor, industry regulator)
Timeline: GDPR 72-hour requirement; state laws vary (30-90 days); notify immediately if required
Content Requirements: Personal data types affected, approximate number of individuals, likely consequences, steps taken/planned
Documentation: Maintain records of notification (proof of communication)
Follow-up: Respond promptly to regulator inquiries

Media & Public Communication:

Press Release: For significant incidents (large data breach, extended outage)
- Facts: What happened, when, how many affected
- Actions: What we're doing, what customers should do
- Accountability: We take this seriously; full investigation underway
Blog Post: More detailed explanation; demonstrates transparency
Media Engagement: Be available for media questions; don't hide from press
Social Media: Acknowledge incident; direct to official channels (don't conduct support on social media)

Post-Incident Communication:

Incident Report: Publish summary (within 30 days) of findings, root cause, remediation
Lessons Learned: What did we learn? How will we improve?
Transparency: Be honest about what went wrong; don't blame external factors
Customer Support: Offer credit monitoring, password reset, identity theft insurance for breach situations
Trust Rebuild: Show commitment to security improvements; gain back trust through actions

Anti-Patterns

No communication (silence breeds worse rumors); communicate early, often, honestly

Overstatement of severity (boy-who-cried-wolf); stick to facts; don't minimize or exaggerate

Contradictory messages to different audiences; get facts straight; deliver consistent message

Blaming customers/third parties; take accountability; focus on remediation

Disclosure made via leaked documents (not proactive); notify customers before it becomes public

incident-communication

incident-communication

Incident Communication

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Incident Communication

Context

Domain Context

Instructions

Anti-Patterns

Further Reading