Crisis Communication Scripts

SUBJECT: URGENT: Security Incident Detected - Immediate Action Required

TO: CEO, Board of Directors, Executive Team
FROM: [CISO/Security Lead]
DATE: [Current Date/Time]
PRIORITY: CRITICAL

EXECUTIVE SUMMARY:
We have detected a security incident that may have resulted in unauthorized access to [company systems/customer data]. This notification is being sent within [X hours] of discovery to ensure immediate awareness.

INCIDENT DETAILS:
- Discovery Time: [Date/Time]
- Affected Systems: [List systems]
- Preliminary Scope: [Number of records/systems affected - if known]
- Data Types Potentially Affected: [PII/PHI/Financial/Credentials]
- Attack Vector: [Ransomware/Phishing/Exploitation - if known]

IMMEDIATE ACTIONS TAKEN:
✓ Affected systems isolated from network
✓ Incident response team activated
✓ External IR firm engaged [Firm Name]
✓ Legal counsel notified
✓ Forensic investigation initiated

REGULATORY IMPLICATIONS:
[✓/✗] GDPR: 72-hour notification deadline applies
[✓/✗] HIPAA: Breach notification required
[✓/✗] SEC: Material event disclosure may be required
[✓/✗] State Laws: Multi-state notification obligations

NEXT STEPS (Next 24 Hours):
1. Complete forensic scope assessment
2. Convene emergency board meeting [Proposed time]
3. Prepare notification strategy
4. Engage crisis communications firm
5. Notify cyber insurance carrier

BOARD BRIEFING:
Emergency board call scheduled for [Date/Time]. Full briefing deck to follow within 24 hours.

MEDIA/PUBLIC DISCLOSURE:
No public disclosure at this time. Communications team preparing holding statements.

CONTACT FOR QUESTIONS:
[Name] - [Title] - [Phone] - [Email]

This is a developing situation. Updates will be provided every [6/12/24] hours or as significant developments occur.

[Your Name]
[Title]
[Contact Information]

SUBJECT: Important Security Notice About Your [Company Name] Account

Dear [Customer Name],

We are writing to inform you about a security incident that may have affected your personal information.

WHAT HAPPENED
On [Date], we discovered that an unauthorized party gained access to [our systems/database]. We immediately launched an investigation with external cybersecurity experts.

WHAT INFORMATION WAS INVOLVED
Based on our investigation, the following types of your personal data may have been accessed:
• [Name and contact details]
• [Email address]
• [Account information]
• [Other relevant data types]

The following data was NOT affected:
• [Payment card information - if applicable]
• [Passwords - if applicable]

WHAT WE ARE DOING
• We have secured our systems and closed the unauthorized access
• We engaged leading cybersecurity experts to investigate
• We have notified the relevant data protection authority
• We are implementing additional security measures to prevent future incidents

WHAT YOU SHOULD DO
We recommend you take the following protective steps:
1. Change your password immediately at [URL]
2. Enable two-factor authentication on your account
3. Monitor your account for unusual activity
4. Be cautious of phishing emails claiming to be from [Company Name]

We are offering [12/24] months of free identity monitoring services through [Provider Name]. To enroll, visit [URL] and use code [CODE].

YOUR RIGHTS
Under GDPR, you have the right to:
• Access your personal data
• Request correction or deletion
• Object to processing
• Lodge a complaint with your data protection authority

For more information about your rights, visit [URL].

QUESTIONS?
If you have questions, please contact our dedicated support team:
• Email: [security@company.com]
• Phone: [Support Number]
• Hours: [24/7 or specific hours]

We sincerely apologize for this incident and any concern it may cause. Protecting your information is our top priority.

Sincerely,

[Name]
[Title]
[Company Name]

This notice is being sent in compliance with GDPR Article 34.

TO: All Employees
FROM: [CEO/Leadership Team]
DATE: [Current Date]
RE: Security Incident - Internal Communication

Team,

I want to make you aware of a security incident we are currently managing.

THE SITUATION:
On [Date], we detected unauthorized access to [certain company systems]. We immediately activated our incident response plan and engaged external cybersecurity experts to investigate.

WHAT WE'RE DOING:
• Our security team is working 24/7 to contain and resolve this
• We've engaged [External IR Firm] for forensic investigation
• We're coordinating with law enforcement and regulators as appropriate
• We're notifying affected customers and providing support

YOUR ROLE:
To protect our customers and company, please:

✓ DO:
- Continue your normal work responsibilities
- Direct any customer questions to [designated contact]
- Report any suspicious activity to IT immediately
- Use only approved communication channels

✗ DO NOT:
- Discuss this incident with customers, vendors, or media
- Post about this on social media
- Forward this email outside the company
- Speculate about the incident with colleagues

MEDIA INQUIRIES:
If contacted by media, say: "I'm not authorized to comment. Please contact [PR Contact] at [email/phone]."
Then immediately notify [PR Contact].

CUSTOMER INQUIRIES:
Direct all customer questions to our dedicated support team at [email/phone]. DO NOT attempt to answer questions about the incident yourself.

QUESTIONS?
We will provide updates as we learn more. If you have immediate questions, contact:
• Technical questions: [IT Contact]
• HR/Personal concerns: [HR Contact]
• General questions: [Leadership Contact]

I know this is concerning. Please know that we have top experts working on this and we are committed to transparency with all stakeholders.

Thank you for your professionalism and discretion.

[Name]
[Title]

BREACH NOTIFICATION TO HHS
(Submit via HHS Breach Portal: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf)

COVERED ENTITY INFORMATION:
Organization Name: [Legal Entity Name]
Address: [Street Address]
City, State, ZIP: [City, State, ZIP]
Contact Person: [Privacy Officer Name]
Phone: [Phone Number]
Email: [Email]

BREACH DETAILS:

1. DATE OF BREACH:
Discovery Date: [MM/DD/YYYY]
Breach Occurrence Period: [MM/DD/YYYY] to [MM/DD/YYYY]

2. TYPE OF BREACH:
☐ Hacking/IT Incident
☐ Unauthorized Access/Disclosure
☐ Theft
☐ Loss
☐ Other: [Specify]

3. LOCATION OF BREACH:
☐ Network Server
☐ Email
☐ Electronic Medical Record
☐ Paper/Films
☐ Other: [Specify]

4. NUMBER OF INDIVIDUALS AFFECTED:
Total: [Number]
Breakdown by State: [If applicable]

5. PHI INVOLVED:
☐ Names
☐ Addresses
☐ Dates (birth, admission, discharge, death)
☐ Social Security Numbers
☐ Medical Record Numbers
☐ Health Plan Beneficiary Numbers
☐ Diagnosis/Treatment Information
☐ Other: [Specify]

6. BRIEF DESCRIPTION:
[Provide factual description of what occurred, how the breach was discovered, and the nature of PHI involved. Example:]

"On [Date], our organization discovered that an unauthorized individual gained access to our network environment between [Start Date] and [End Date]. The investigation, conducted with external forensic experts, determined that files containing protected health information for [Number] individuals may have been accessed. The PHI included [list types]. We have no evidence of misuse of the information at this time."

7. SAFEGUARDS IN PLACE:
[Describe security measures that were in place:]
• [Example: Firewall protection]
• [Example: Antivirus software]
• [Example: Encryption for data at rest]
• [Example: Access controls and authentication]

8. ACTIONS TAKEN:
• Containment: [Describe immediate actions]
• Investigation: [Describe forensic analysis]
• Notification: Individual notification sent on [Date]
• Remediation: [Describe security improvements]

9. NOTIFICATION TO INDIVIDUALS:
Date Sent: [MM/DD/YYYY]
Method: [Mail/Email/Phone/Substitute Notice]

10. NOTIFICATION TO MEDIA (if 500+ individuals in same state):
Date: [MM/DD/YYYY] or N/A
Media Outlets: [List] or N/A

ATTACHMENTS:
• Sample individual notification letter
• [Other relevant documentation]

Submitted by:
[Name], [Title]
[Date]
[Signature]

FOR IMMEDIATE RELEASE

[Company Name] Statement on Security Incident

[CITY, STATE] – [Date] – [Company Name] today confirmed that it recently detected a security incident affecting [certain systems/customer data].

Upon discovery on [Date], we immediately launched an investigation with leading cybersecurity experts and took steps to secure our systems. We have notified law enforcement and are coordinating with relevant regulatory authorities.

Based on our investigation to date, we believe that [brief description of what happened and what data was affected]. We have no evidence at this time that [the information has been misused/accounts have been compromised - if true].

We are notifying affected [customers/patients/individuals] and offering [credit monitoring/identity protection services] at no cost.

Protecting [customer/patient] information is our highest priority. We sincerely apologize for this incident and any concern it may cause. We are implementing additional security measures to prevent future incidents.

For more information, affected individuals can visit [URL] or call our dedicated support line at [Phone Number].

MEDIA CONTACT:
[Name]
[Title]
[Email]
[Phone]

###

TALKING POINTS FOR SPOKESPERSON:

Opening Statement:
"We take the security and privacy of [customer/patient] information extremely seriously. As soon as we detected this incident, we moved quickly to contain it and launch a thorough investigation with leading cybersecurity experts."

Key Messages:
1. Speed of Response: "We acted immediately to secure our systems and engage experts."
2. Transparency: "We are being transparent with affected individuals and regulators."
3. Support: "We're offering [X months] of free [credit monitoring/identity protection]."
4. Prevention: "We're implementing additional safeguards to prevent this from happening again."

Do NOT Say:
• "No big deal" or minimize
• Speculate on cause or extent
• Blame third parties or individuals
• Discuss costs or legal exposure
• Criticize security measures

Deflect to Investigation:
"Out of respect for the ongoing investigation, I can't comment on specific technical details, but we're working with law enforcement and will share more information as it becomes available."