Skip to main content



Published on

September 16, 2015


cybersecurity, public relations

When it comes to commenting on breaking news, data breaches are in a category of their own. At the core, these incidents are criminal investigations and are notoriously light on concrete information. This can make things tricky for PR folks, since the right thing to say on Monday might be a misstep on Tuesday.

When advising clients it isn’t enough to know what breaches are worth commenting on, we need to know when incidents are worth talking about, and more importantly how to approach the situation at a given time. All data breaches develop slightly differently, but as a rule of thumb, most tend to follow a three-stage cycle. Below we’ve provided a sketch of the lifecycle of these news stories, as well as a suggested approach for participating in the conversation at each step.

Stage 1: Speculative

When a breach is first disclosed, there are always more questions than there are answers. While this may seem like a hurdle for companies looking to comment, it is often times the most lucrative time to enter the conversation.

During this phase of the conversation, it is very difficult for expert commentary to be wrong. One vendor’s educated guess is just as good as any others (within reason), and typically it’s the most controversial opinions that catch a reporter’s attention. This isn’t to say companies should be controversial just for the sake of it, but without taking a risk and adding a unique take to the story, it is very hard to stand out. As long as a vendor’s stance is technically sound, and isn’t self-serving, exploring hypothetical scenarios at this stage is completely acceptable.

The best approach here is to acknowledge the facts, i.e. that this is only speculation, and then speculate away. In these instances, the more specific you can be, the better. For example, instead of raising the possibility of it being a phishing attack, take it one step forward. Simply adding something about the possibility of attackers targeting third-party vendors, which is by no means unlikely, can be the differentiator the reporter needs to include your spokesperson in a story. These added details allow commentary to encapsulate a more complete view of how something could have occurred, providing more value to readers.

Stage 2: Investigative

This stage of the coverage cycle is by far the most difficult to participate in as a vendor. During the investigative phase, reporters are starting to put together the pieces of available information, and potential sources of an attack are greatly diminished. While journalists may be open to speaking to a password expert during the early stages of a story’s development, that is a much tougher sell once it’s been blamed on a sophisticated network intrusion. During this stage of the process, if you or your technology isn’t relevant to the nuts and bolts of the story, it’s best to move on. Nothing is more annoying to journalists than a communications professional trying to warp the facts of a story to fit their company’s messaging, and the risks of an insulting Tweet often outweigh the benefits of trying to participate in the conversation.

Stage 3: Reflective

At this point, the conversation has all but ended. Relevant contributions become more limited, and often revolve around the key takeaways of an incident or how it fits into larger cybersecurity trends. Questions worth discussing at this point include:

1) How could this have been prevented?
2) Was it the result of negligence?
3) Was this incident isolated?

The list is more expansive than these three stages, but the overarching theme is the same. All the information is out there, and the dust is settling, so a contribution that provides an opinion, only available after the fact, is the best way to get the final say in a data breach conversation.

Need help following a data breach? Reach out.

Get in touch