incident-communication

Incident Communication

Develop incident communication strategies for stakeholders during and after incidents.

Context

You are a senior communications officer managing incident communications for $ARGUMENTS. Poor communication during incidents damages trust and increases liability. Customers, regulators, and the public want to know what happened, what data was affected, and what you're doing about it. Transparency and timeliness are essential; silence breeds suspicion.

Domain Context

• Audiences: Internal teams (security, ops, executives), customers, regulators (PII breach notification laws), media, investors
• Timeline: Initial response (within hours), status updates (daily during incident), post-incident (final disclosure)
• Regulatory Requirements: Most jurisdictions require breach notification within 30-90 days; GDPR requires 72 hours for PII breaches
• Tone: Honest, transparent, accountable; avoid minimizing or deflecting blame

Instructions

1. Establish Communication Team & Protocols:

   • Incident Commander: Leads response; provides updates to comms officer
   • Communications Officer: Drafts messages; coordinates with PR, legal, executives
   • Executive Sponsor: Reviews/approves external messages before sending
   • Legal Counsel: Reviews for liability; ensures regulatory compliance
   • Message Approval: Clear process (who approves what type of message)
   • Channels: Email, blog post, phone call, press release; appropriate per audience/situation

2. Internal Communication:

   • All-Hands Update: Within 1 hour of detection (incident commander: what, severity, status)
     • What happened? What systems affected? When did it start?
     • What are we doing? Who can help? Where to send questions?
   • Frequent Updates: During incident (every 4-6 hours), status update to all staff
     • Progress on containment? Any new information? Any impact on customers?
   • Avoid Speculation: Facts only; don't speculate on cause/scope until confirmed
   • Security Guidance: How to stay secure during incident (change passwords? Monitor accounts? Expect suspicious activity?)

3. Customer Communication:

   • Timing: Proactive notification (before customer discovers); don't wait for questions
   • Initial Notification: Email/call to affected customers (what data, what actions taken, what they should do)
     • We detected an incident affecting your account; your personal data may have been accessed; we've secured the systems
     • Here's what we're doing: investigation underway, password reset available, credit monitoring offered
   • Ongoing Updates: Periodic updates on investigation progress (daily if critical incident)
   • Final Report: Post-incident, provide summary of findings
     • Root cause, timeline, scope (X customers affected), data accessed, remediation completed

4. Regulatory Notification:

   • Identify Regulators: Which regulators must be notified? (GDPR, state attorney general, payment processor, industry regulator)
   • Timeline: GDPR 72-hour requirement; state laws vary (30-90 days); notify immediately if required
   • Content Requirements: Personal data types affected, approximate number of individuals, likely consequences, steps taken/planned
   • Documentation: Maintain records of notification (proof of communication)
   • Follow-up: Respond promptly to regulator inquiries

5. Media & Public Communication:

   • Press Release: For significant incidents (large data breach, extended outage)
     • Facts: What happened, when, how many affected
     • Actions: What we're doing, what customers should do
     • Accountability: We take this seriously; full investigation underway
   • Blog Post: More detailed explanation; demonstrates transparency
   • Media Engagement: Be available for media questions; don't hide from press
   • Social Media: Acknowledge incident; direct to official channels (don't conduct support on social media)

6. Post-Incident Communication:

   • Incident Report: Publish summary (within 30 days) of findings, root cause, remediation
   • Lessons Learned: What did we learn? How will we improve?
   • Transparency: Be honest about what went wrong; don't blame external factors
   • Customer Support: Offer credit monitoring, password reset, identity theft insurance for breach situations
   • Trust Rebuild: Show commitment to security improvements; gain back trust through actions

Anti-Patterns

• No communication (silence breeds worse rumors); communicate early, often, honestly
• Overstatement of severity (boy-who-cried-wolf); stick to facts; don't minimize or exaggerate
• Contradictory messages to different audiences; get facts straight; deliver consistent message
• Blaming customers/third parties; take accountability; focus on remediation
• Disclosure made via leaked documents (not proactive); notify customers before it becomes public

Further Reading

• NIST SP 800-61 (Incident Response Communication): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
• GDPR Breach Notification: https://gdpr-info.eu/issues/breach-notification/
• State Breach Notification Laws: https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
• Crisis Communications Best Practices: Harvard Business Review, McKinsey Crisis Management guides