And they need to be ready.
With 42 states (as of press time; see sidebar) requiring public notification in the event of a data security leak, how a company handles itself is critical. Running from the TV cameras and print reporters could negate all the business value that comes from a swift, lawful notification process. In most cases, it's the public relations executive handling the press. The CIO is tucked behind the scenes.
"I think [customers] would appreciate it if the CIO, the CSO were the spokesperson as opposed to the PR person. I think they'd like to see that person up front facing the music," he said. "It can send the wrong message if it's marketing or PR."
Putting a CIO out front as a media contact could be a good idea, said Mark Bernheimer, principal at Los Angeles-based MediaWorks Resource Group, a media training agency.
But allowing a CIO who lacks media savvy to speak for the company is a bad idea.
"C-level executives have to always remember they can do everything the law requires and do exactly what the law requires of them and simultaneously lose the PR battle," said Bernheimer, a former CNN reporter. "If this is going to be a case where it's only a matter of time where it becomes a public matter, then it's much more advantageous to come from the company itself than from a furious customer or authorities."
By leading the IT department, Maloney said, CIOs are uniquely qualified to speak accurately about exactly how a data breach occurred and how the company has since secured itself. The presence of the top IT officer would ideally add a weight of authority to the company's public comments.
As with the legally mandated notification, a company spokesman will have to speak accurately without giving out more information than is necessary to inform the public and assure customers that the company is back in control.
But Bernheimer said the preparation of a media plan can't be reactive. There simply isn't enough time after a data breach to determine who will speak for the company and prepare that person for challenging confrontations with reporters.
Fess up, clean up, don't let it happen again
Bernheimer said a data breach response should contain three elements:
- The company must first take responsibility for what has happened, a tricky line to walk if there is potential for litigation.
- The spokesman must be able to show the company knows and can explain what has happened. That's where Maloney said the CIO could make a positive impression.
- The company must also explain how it will stop a data breach from happening again, another spot where the top IT officer carries weight.
But as with all other aspects of a data breach response and notification, media training for CIOs is moot if it isn't conducted before a breach actually occurs. In the wake of a data breach, the deadline-driven media world won't wait for a company to train executives on how to answer questions.
"In many ways, it's too late," Bernheimer said. "The perception is they've waited to level."
Let us know what you think about the story; email: Zach Church, News Writer