Have you included a data breach in your crisis plan?

When data breaches are making the news, people typically think of shady cyber criminals being responsible.

But damaging breaches are not always caused by someone acting maliciously.

Often, the cause is human error.

A report by Verizon earlier this year found that while criminal hacking is the biggest cause of data breaches, more than one in five incidents are caused by an employee.

This includes sensitive information being sent to the wrong person and attaching the wrong document.

And one organisation found itself at the centre of a data breach crisis this week that appears to have been caused by human error.

The identities of hundreds of families with disabled children were shared with other parents without their consent, in an email from Bristol City Council.

It sent the email asking for views on a new support service to hundreds of people and the names of all the children and the email addresses of their primary carers were viewable to all recipients.

One parent who received the email said it was "a fundamental breach of trust and data".

The council has apologised and has referred the case to the Information Commissioner's Office.

But the story has still been picked up by BBC News, ITV and Bristol Live.

Bristol City Council data breach sends names of children to ‘livid and upset’ parents Bristol Live

Disabled children's names revealed in Bristol City Council email BBC News

Data breaches, whether caused by criminals or human error, are increasingly common and are constantly in the news.

This month alone, hackers infiltrated Manchester United’s IT systems, while booking.com, Expedia, Capcom and Mashable are just some of the organisations who have all been at the centre of data breach stories.

So, what can you do to prepare and minimise the damage if you find yourself in a similar crisis media management incident?


The first step is to makes sure data breaches are included in your crisis communication plan. And, once it is, put that plan to the test (get in touch if you need a little help with this).

Knowing in advance how you will respond to a data breach is key and will enable you to communicate much more effectively when the worst does happen.  



The planning should put you in a position to be able to respond quickly when a data breach does happen, particularly if you have already prepared holding statements.

Ideally, you want to break the story before the media. That means communicating directly with those who have been impacted and then making public statements.

This will help you control the story and the openness and transparency are integral to maintaining trust in your brand.


Say sorry

You need to show your customers that you care about what has happened and that you understand the problems the breach may cause them.

And this starts with an apology. Apologise for the situation your organisation has put them in and put them at the start of your responses.

This is something many organisations get wrong. When Marriott hotels lost the data of up to 500 million people - including combinations of names, addresses, phone numbers, email addresses, passport numbers and payment detail – it couldn’t bring itself to say ‘sorry’. The closest it came to issuing an apology was the use of the word ‘regret’.

Compare that to how Richard D Fairbank, the CEO of Capital One, responded when the details of around 106m people were stolen in a hack.  

“I am deeply sorry for what has happened,” he said. “I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Not only does that sound sincere, but also human.

If you are doing interviews about the data breach incident, again start with the apology.



Your customers are likely to have many questions around the data that has been affected and what it may mean for them.

Clarity is crucial. Stick to plain English and avoid any temptation to play down the significance of what has happened.

Although we praised Capital One for its apology a little earlier, the statement went downhill. It began to talk about fixing ‘the configuration vulnerability’ and then became contradictory.

It boldly claimed that ‘no bank account number or Social Security numbers were compromised’, before adding a pretty hefty clause which said 140,000 Social Security numbers and 80,000 banks account numbers were compromised. Additionally, one million Canadian Social Insurance Numbers were also compromised in the incident.

Hardly clear or reassuring.


Communicate, communicate, communicate

You need to communicate throughout the crisis. Keep you customers updated on the actions you are taking to rectify the situation, and steps they need to take to protect themselves, and what you are doing to try and prevent something similar happening in future.

Monitor what is being said about the incident so that you can answer the questions your customers are asking and correct inaccurate information.


Social media

Post your responses on social media and pin them to the top of your accounts so that customers can easily find the information they are looking for.

And, although it sounds obvious, make sure it is clear what the post refers to. During the Marriott incident we mentioned earlier, it took a low-key approach to discussing the issue on social media. On Twitter, it said: “Marriott values our guests and understands the importance of protecting personal information. For more information on the Starwood guest reservation database security incident, please visit http://info.starwoodhotels.com.” Easily missed if you are quickly scrolling for information.



We’ve said before in our crisis communication blogs that employees can often be overlooked.

But that scenario must be avoided. Make sure they are aware of the breach before they hear about it in the media or see it on social media – you need them on side and to have faith in how the incident is being managed.



Find out more about planning for a crisis and anticipating your organisation’s vulnerabilities, by downloading our free crisis eBook.


Media First are media and communications training specialists with over 35 years of experience. We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers. 

Subscribe here to be among the first to receive our blogs.


Our Services

Media First are media and communications training specialists with over 30 years of experience. We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers.

Online learning
Training by videoconference
Media training
Message development and testing
Presentation skills training
Crisis management testing
Crisis communication training
Leadership communication training
Writing skills training
Social media training
Video sound bites
Identifying positive media stories
How to film and edit professional video on a mobile
Media skills refresher
Media skills
TV studios
Crisis communications
Presentation skills and personal impact

Recommended Reading

Crisis management — 19 January by Adam Fisher

Apology videos and the art of saying sorry

Apology videos can be a great way for organisations to show contrition when they are in the spotlight for the wrong reasons. Many brands and individuals are now using them when they find themselves…

Crisis management — 7 January by Adam Fisher

The story of the inflatable costume that triggered a crisis

When a staff member dressed up as a Christmas tree and strolled through a hospital’s emergency department, it was intended to spread a little festive cheer. But it ended up spreading something much…