Lauren Wills-Dixon Quoted in Raconteur Article Exploring Post-Cyber Incident Comms
Tuesday 16th May 2023
Lauren Wills-Dixon, solicitor and data privacy expert at Gordons, has been quoted by leading business title Raconteur in its article exploring PR strategies in the aftermath of a cyber incident.
In today’s digitalised world cyber threats are growing constantly, and in sectors that entail high-levels of public visibility and scrutiny, effective cyber security and stakeholder management strategies go hand-in-hand.
Example of UK brands recently impacted by high profile cyber incidents include Royal Mail, JD Sports and WH Smith, for which Lauren’s comments achieved national coverage.
Although there is no ‘one-size-fits all approach’, incidents like these are useful case studies when it comes to exploring key considerations behind stakeholder engagement and external communications around cyber incidents.
Customers and stakeholders expect prompt, clear and honest communication when the services they’re depending on are disrupted. However, this is not always easy according to Lauren: “When a cyber incident occurs, it can take time to fully understand the extent of the incident and who is affected with certainty. This can make post-incident engagement a challenge and is usually a reason that immediate communication is relatively vague with only the bare minimum information required from a legal perspective being shared.
“Only after technical teams have worked to understand what has happened from a technical perspective with certainty will more details filter through.”
Looking at a good model to improve post cyber incident comms, Lauren referred to the aftermath of the recent JD Sports attack: “These were honest, apologetic, solution-focused and not overly technical”.
It is not just from a reputation perspective that organisations need to consider post cyber incident comms plans, but the legal obligations too. Factors influencing post-incident comms include whether personal data is involved, whether hackers have exploited the data and whether people’s rights are at risk.
“If there is a significant risk, the organisation must work hard to reassure its customers and mitigate the reputational damage,” said Lauren.
In the UK, any security breach involving personal data must be disclosed to the Information Commissioner’s Office. Commenting on the legal requirements, Lauren added: “The obligation is to report within 72 hours, even if there are still unknowns surrounding the incident.”
Concluding the article, Lauren’s key guidance for navigating post cyber incident comms: “It is better for organisations in the longer term to be open, sharing details and controlling the narrative as soon as they can, rather than burying their heads in the sand.”
You can read Lauren’s comments Raconteur here.