"Make certain that you have a complete and thorough understanding of the facts so that you subsequently don't have to correct a misstatement," says Raether, who frequently advises clients that have experienced breaches. Providing inconsistent information "can undermine the credibility you're trying to develop," he adds.
Companies that have experienced a major breach must reassure those affected "that the company has a grasp of what happened and has implemented processes and procedures to control and mitigate against any further harm," he stresses in an interview.
Companies also must guard against "providing limited, legalistic or formulaic responses" when communicating breach details, he adds.
In the interview, Raether:
- Comments on lessons learned from the communications in the wake of the Sony PlayStation, Hannaford grocery store chain and Global Payments Inc. breaches. While he notes that Global Payments, a payments processing firm, did a good job of creating a website to keep consumers and investors informed, he adds: "The information provided by Global Payments was inconsistent with the information provided to the public by Visa. That inconsistency in the messaging hurt Global Payments both in the media and in the public eye."
- Emphasizes the importance of creating a call center to field inquiries from consumers;
- Encourages organizations to consider reaching out to regulators, such as state attorneys general, before issuing a breach notice to keep them well-informed and request their review of the notice.
- Discusses how to determine when it makes sense to hire a breach resolution or public relations firm to help with post-breach communications.
Raether is a partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes. He has been involved in cases addressing compliance with statutes that regulate the use and disclosure of personal information and laws that concern the adequacy of securing against unauthorized access to personal information. Raether has successfully defended companies in more than 25 class actions.