Data breach communications: what to say, and when
Data breach communications, explained in one paragraph
Data breach communications is the discipline of deciding what to disclose once personal or sensitive data is exposed: what to say, to whom, and in what order, coordinated with legal counsel, not run ahead of it. It covers the regulatory notifications, the message to affected individuals, the internal line for staff, and the public response. The whole exercise sits on a single tension. You have a duty to inform people promptly, and a duty to be accurate. Those two pull against each other, because in the early hours you rarely know enough to be both fast and right. Legal privilege and regulatory notification deadlines shape every message you draft, which is why the comms side of a breach can never operate alone.
Get this wrong and you create a second story (about how you handled it) that outlasts the breach itself. Get it right and you keep control of the account that people find when they go looking.
What actually happens in the first hours of a breach
The forensic picture is incomplete and changing. Early facts are usually wrong, or at least provisional. The number of affected records, the type of data, the route in — all of it tends to move as the investigation deepens.
That is why the comms team should be in the room from the start but rarely speaks first. Your job early on is to listen, scope the audiences, and pre-position language, not to publish.
The hardest skill in this window is holding the line. You want to say “we are investigating and acting” without over-committing to facts that are not yet confirmed. Every premature number or assurance becomes a hostage to the next forensic update.
Meanwhile, containment, scoping and notification obligations run in parallel with comms planning. The UK National Cyber Security Centre’s incident management guidance sets out how the technical response is structured; the communications plan has to track alongside it, not lag behind it.
Who you need to tell, and the order to tell them
Start by mapping the audiences: regulators, affected individuals, employees, customers, investors and the board, partners, and the press. Each needs a different message, and the sequence is not optional.
Sequence matters because telling the press before affected individuals erodes trust and can breach your obligations. People should not learn that their own data was exposed from a news alert.
Internal comes first in practice. Employees who will field questions (on phones, at desks, in stores) need the approved line before the public does. A confused or contradictory front line does more damage than silence.
Then there is the regulator. Coordinating with counsel on notification thresholds is essential, because those thresholds are legal judgements, not comms calls. The UK Information Commissioner’s Office guidance on personal data breach notification sets out when and how a breach must be reported under UK GDPR; sector regulators may add their own. Counsel decides what crosses the threshold. You make sure the public account never contradicts the filing.
What to say: building the breach statement
A credible disclosure has a recognisable anatomy: what happened, what data was involved, who is affected, what you are doing about it, and what affected people should do to protect themselves. Miss one of those and the statement reads as incomplete.
The harder question is what to leave out while the investigation is live, and how to say “we don’t know yet” without sounding evasive. The answer is to be specific about your uncertainty. “We are still confirming the full scope and will update affected individuals as soon as we can” is honest. Vagueness dressed up as reassurance is not.
Tone carries more weight than people expect. Be accountable, plain and non-defensive. Avoid minimising language — “a small number”, “limited impact”, “no evidence of misuse” — that ages badly the moment the numbers revise upward.
The best protection is pre-drafting. Holding statements and notification templates built before an incident mean that when one hits, the work is about facts, not phrasing. The US Federal Trade Commission’s data breach response guide is a useful model for what a clear, actionable notice contains.
When to say it: timing, disclosure and regulatory deadlines
Regulatory notification windows and public disclosure are not the same clock. The deadline to notify a regulator is a legal obligation with a defined trigger. The decision to make a broad public statement is a judgement call about accuracy, obligation and audience. Treating them as one thing causes mistakes.
“Wait until we know everything” is rarely an option and rarely advisable. The scope of a breach can take a long time to settle, and staying silent while it does hands the narrative to others.
The real risk is a slow or piecemeal disclosure. Drip-feeding bad news produces a second story about the cover-up, which is almost always worse than the breach. Each grudging update reads as something you were forced to admit.
So the public statement and the regulator filing have to be aligned, drafted in step, so the two never contradict each other. A gap between what you told the regulator and what you told the public is exactly the discrepancy a journalist will find.
Common data breach communications mistakes
Four failures recur, and each manufactures a follow-on story:
- Under-counting early, then revising upward repeatedly. Every correction reopens the wound and erodes trust in your numbers.
- Legalistic, jargon-heavy notices that read as evasion. If people cannot understand what happened to their data, they assume the worst.
- Going silent and letting third parties control the narrative. Researchers, critics or the attackers themselves will fill any vacuum you leave.
- Promising remediation timelines you cannot keep. Commit to acting promptly and in a structured way, not to fixed dates you may have to break.
Our crisis communications best practices piece goes deeper on the patterns that separate a contained incident from a prolonged one.
Coordinating comms and legal without one blocking the other
Messaging in a breach is drafted with counsel for a reason. Privilege, discovery and the written communications record all matter; what you write may surface later in litigation or regulatory review. That is not a reason to write nothing. It is a reason to write carefully.
The working principle is a single source of truth: one approved line, one spokesperson framework, no freelancing. Everyone who speaks works from the same document.
The danger to manage is the opposite of recklessness. Legal caution, unchecked, becomes a communications vacuum — and competitors, critics and attackers are happy to fill it. The skill is keeping the two functions moving in parallel rather than in sequence.
Roles need to be clear: incumbent PR, in-house comms and external counsel each own a part. When everyone knows their lane, the response moves at speed without crossing wires. This is the same coordination logic we set out in how to write a crisis communications plan, applied to the specific pressures of a data incident.
How Morris McLane executes data breach communications digitally
Morris McLane is the digital execution layer that runs beside your counsel and incumbent PR. Our crisis and litigation rapid response service is built to operate inside exactly this kind of high-stakes, legally sensitive moment.
In practice, that means several things running at once.
Always-on monitoring of the information environment
We track where the breach is surfacing (in search, on social platforms, in forums, and in AI assistants) and who is amplifying it, using research and information environment analysis rather than guesswork. That tells you whether the story is contained or spreading, and where the inaccurate versions are taking hold, before they harden into the accepted account.
Pre-built digital response
Holding statements, a notification microsite or FAQ, structured data and reference-source accuracy are prepared so the correct account is what people find when they search. Speed comes from preparation, not improvisation.
Search and AI-answer visibility
When people search your name during a breach, or ask an AI assistant what happened, the answer they get should be your accurate, on-the-record account — not rumour, speculation or an attacker’s framing. We work to surface the correct version in Google and in AI assistants, including reference-source accuracy across the sources those systems draw on. We cover the mechanics of this in when AI assistants get the facts about your company wrong.
Amplification and recovery
Paid and owned channels put the accurate notice in front of the audiences who need it, so the right information reaches affected people rather than waiting to be found. Afterwards, we run a structured debrief on sentiment and share-of-voice recovery.
All of it is court-safe and privilege-aware, coordinated with the regulator filing, and never gets ahead of legal. This is the difference between proactive versus reactive crisis communications: the work is largely done before the incident, so the response is calm and fast when it lands.
A simple pre-incident checklist
You cannot draft a breach response well under pressure. Prepare it cold:
- Approved holding statements and an audience map drafted in advance.
- Monitoring pre-warmed, so the earliest signals are caught rather than missed.
- Spokesperson and escalation roles defined; counsel coordination agreed.
- A notification page and FAQ ready to publish at speed.
The short version
Data breach communications is about saying the accurate thing, to the right people, in the right order — coordinated with legal, never ahead of it. Tell internal and affected audiences before the press, align the public statement with the regulator filing, write plainly, and never promise what you cannot deliver. The mistakes that hurt most — under-counting, jargon, silence, broken timelines — all create a worse second story about the response itself. The work that protects you is mostly done before the incident.
When it matters, the accurate account has to be the one people find. That is what our crisis communications service is built to deliver.
Frequently asked questions
What is data breach communications?
Data breach communications is the discipline of deciding what to disclose about a security incident, to whom, and in what order, coordinated closely with legal counsel. It covers regulatory notifications, statements to affected individuals, internal messaging and the public response. The aim is to be accurate and accountable while meeting legal and regulatory obligations.
When should you announce a data breach?
Timing is governed by regulatory notification windows and by the duty not to mislead, so the right moment is determined with counsel rather than by a fixed rule. Affected individuals and regulators are typically informed before any broad public statement. The principle is to disclose promptly and accurately once the scope is reasonably understood, not to wait until every detail is final.
What should a data breach notification say?
A credible notification explains what happened, what data was involved, who is affected, what the organisation is doing in response, and what affected people should do to protect themselves. It should be written in plain language, avoid minimising the incident, and be honest about what is still unknown. It must also align with the organisation's regulatory filing so the two never contradict.
Who needs to be told about a data breach first?
Order matters. Regulators and affected individuals usually take priority under data-protection rules, and employees who will field questions need the approved line before the public does. Telling the press before affected people can damage trust and may breach notification obligations. The sequence should always be agreed with legal counsel.
How do communications and legal teams work together during a breach?
Messaging is drafted with counsel so that disclosures are accurate, consistent and mindful of privilege and potential litigation. There should be a single approved line and a clear spokesperson framework. The risk to manage is legal caution becoming a communications vacuum that critics or attackers fill, so the two functions work in parallel, not in sequence.
What are the most common data breach communication mistakes?
The frequent failures are under-counting affected records early and revising upward repeatedly, publishing jargon-heavy notices that read as evasion, going silent while others shape the story, and promising remediation timelines that cannot be kept. Each one tends to create a second, more damaging story about the response itself rather than the breach.
How does Morris McLane support data breach communications?
We run the digital execution layer alongside your counsel and incumbent advisers: always-on monitoring of where the incident is surfacing, pre-built holding statements and notification pages, and search and AI-answer visibility so the accurate, on-the-record account is what people find. The work is privilege-aware, coordinated with the regulator filing, and never gets ahead of legal. See our crisis communications service for how this runs in practice.
