Laci is the Global Senior HR Analyst at XpertHR, a division of LexisNexis Risk Solutions.
getty
In 2023, we've seen a rush of data breaches, cybersecurity attacks, intellectual property exposures and leaks of customer records and employee personal information. These issues don’t discriminate by geography, industry or organizational size. T-Mobile, Shields Health Care Group, Google Fi, Yum Brands, Ferrari and American Airlines are but a few examples of companies that fell victim this year.
In an age of unprecedented connectivity and AI, the protection of sensitive corporate and employee information has become an increasingly complex challenge. At-risk information is expansive, including, but not necessarily limited to:
• Chat transcripts or email exchanges
• Corporate and employee bank account, debit card or credit card information, including PINs
• Professional and personal email addresses
• Social media account information
• Gender identification histories
• Geolocation records
• Government-issued identification information, like social security numbers or official photo IDs
• IP addresses, VPN credentials, login and authentication tokens, and passwords and password hints
• Salary data and job grade levels
• Source code
• Tax forms
In these breach scenarios, attempting to balance the need for corporate confidentiality with stakeholders’ expanded expectations for information often falls on the CEO's shoulders. The actions these leaders take in the post-leak period can make or break a company's reputation, employee and stakeholder trust and long-term viability. And as an HR leader, you're a key factor in their effectiveness.
The HR Leader’s Role In Leak Responses
In the aftermath of a sensitive information leak, HR leaders are valuable members of the post-leak response team that helps determine effective communication strategies. Successful approaches demand a combination of strategic thinking, empathy, transparency and a focus on rebuilding trust within the organization and in the public eye—all things that involve HR departments in normal circumstances as well.
If you're ever in a position where a leak response strategy is necessary, here are five key responsibilities you'll have in the process:
1. Rapid Assessment And Information Gathering
Establishing a cross-functional response team helps ensure a comprehensive evaluation of the information leak. As an HR leader, you must swiftly assess the scope and impact alongside the CEO, head of corporate communications, chief information officer, the organization’s general counsel and other executives. This involves gathering accurate information about the compromised data, identifying the affected internal and external parties and understanding potential legal and regulatory implications.
2. CEO Preparation For Honest, Timely Communication
When sensitive information leaks, CEO silence is not a strategy. They must react based on three communication principles: timeliness, transparency and stakeholder priority. To ensure the appropriate equilibrium, you can partner with the response team to craft a clear, empathetic initial message for your CEO to deliver. Prioritize internal stakeholders first, then the broader public. Consider this initial message from Nieman Marcus Group when customer information was leaked in 2021.
Each message should be unique to the audience in terms of tone but consistent in outlining what information was leaked, the potential legal impact on the company and/or its officers and the steps being taken to rectify the leak. You can support your CEO with delivering the narrative in the first 24 to 36 hours post-leak, then begin the process of readying them for sharing regular updates with all relevant parties. By developing a communication plan that outlines key messages, as well as a timeline for updates, you can help ensure your CEO is on point, honest, compliant and timely.
3. Employee Support And Counseling Services
Following an information leak, employees may feel scared, uncertain and stressed. As an HR leader, you should be forthright in assuring that employees' safety and well-being are top priorities. Encourage them to speak to their direct manager so individual arrangements can be made to address specific concerns.
Tailoring support and reminding employees to take advantage of in-house EAP and counseling services can allay many workforce concerns. In some circumstances, you might consider extending support services to employees’ family members who may also be affected. Additionally, an internal platform can help employees voice their concerns and get their questions answered in real time.
4. Training And Education
Together with the CEO and IT department, create and push out mandatory training with realistic examples of data security breaches, confidentiality issues and proper use of company resources. While reviewing educational resources is typically required of new hires and in a recurrent manner, it's always prudent to make relevant learning content available during the post-leak period. By doing so, you enhance employees’ awareness of their ongoing responsibilities.
5. Accountability
Finally, you must lead by example and demonstrate accountability for the incident. This includes acknowledging lapses, if any, in internal processes, outlining corrective actions and ensuring all parties—regardless of position or level—are held accountable. Then, confirm that accountability measures and metrics are included in the CEO’s communication strategy to showcase your organization's commitment to transparency.
Summing Up
Sensitive company information leaks demand a strategic approach to communication. The CEO’s initial response sets the tone for the company's handling of the situation, while follow-up and preventive actions dictate long-term resilience. As an HR leader, you hold a pivotal role in assisting with effective post-leak communication by swiftly assessing the situation, communicating transparently, providing employee support and collaborating with other leaders on the cross-functional response team. When you execute on these key responsibilities, you can successfully safeguard your organization's reputation, rebuild trust among internal and external stakeholders and foster a culture of data security, privacy and ethical conduct.
Forbes Human Resources Council is an invitation-only organization for HR executives across all industries. Do I qualify?
