5.1 Drafting Regulatory Notifications
Regulatory notifications during breach incidents are legal documents with significant consequences. Every word matters. Legal counsel must ensure accuracy, consistency, and strategic positioning while meeting disclosure obligations.
Core Principles for Regulatory Drafting
- Accuracy: State only what you know with certainty. Distinguish facts from preliminary assessments.
- Completeness: Include all mandatory elements per regulatory requirements
- Consistency: All notifications across regulators must tell the same story
- Timeliness: Meet deadlines - late notification itself is a violation
- Non-admission: Avoid language that admits liability unnecessarily
Notification Structure Template
| Section | Content | Legal Considerations |
|---|---|---|
| Incident Description | What happened, when detected | Use neutral language; avoid characterizations |
| Scope Assessment | Systems/data affected, number of individuals | Qualify if preliminary; commit to updates |
| Containment Status | Actions taken to contain | Demonstrate reasonable response |
| Remediation Steps | Current and planned actions | Show proactive measures |
| Investigation Status | Ongoing investigation details | Reserve right to update findings |
| Contact Information | Designated contact for queries | Ensure availability and preparation |
Use phrases like "Based on our current investigation..." or "Preliminary assessment indicates..." to preserve flexibility. Avoid definitive statements until investigation is complete. Always include: "We will provide updates as our investigation progresses."
What NOT to Include in Initial Notifications
- Root cause conclusions: Unless certain - investigation may reveal different cause
- Liability admissions: Avoid "we failed to" or "our negligence"
- Speculation: About attacker identity, motive, or future risks
- Privileged information: Legal advice or litigation strategy
- Inconsistent numbers: That may need correction later
Regulators communicate with each other. If your CERT-In report says 10,000 records affected but DPDPA notification says 50,000, you have a problem. Maintain single source of truth document that all notifications draw from.
5.2 Public Disclosure Considerations
Deciding when, what, and how to disclose publicly involves balancing legal obligations, reputation management, stakeholder expectations, and potential litigation exposure. Legal counsel plays a central role in this decision.
Factors Influencing Public Disclosure Decision
| Factor | Favors Disclosure | Favors Delay |
|---|---|---|
| Legal Obligation | DPDPA requires notification to affected individuals | No mandatory public disclosure requirement |
| Affected Population | Large number of individuals need to take action | Small, identifiable group can be notified directly |
| Risk to Individuals | Immediate action needed (password change, fraud alert) | Risk can be mitigated without individual action |
| Media Awareness | Breach already public or likely to leak | No external knowledge of incident |
| Investigation Status | Sufficient facts to communicate meaningfully | Early stages with uncertain scope |
| Stakeholder Trust | Proactive disclosure builds trust | Incomplete information may cause panic |
Listed Company Considerations
For companies listed on stock exchanges, additional factors apply:
- Price-sensitive information: Material breaches may require stock exchange disclosure
- Insider trading risk: Employees with breach knowledge must not trade
- Selective disclosure: Avoid telling some stakeholders before public announcement
- Trading halt: Consider whether trading halt is appropriate
If breach is likely to become public anyway (through media, attacker claims, affected individual complaints), it is generally better to get ahead of the story with your own disclosure rather than appear to be hiding. Reactive disclosure after media exposure is far more damaging than proactive transparency.
5.3 Media Statement Legal Review
Media statements during breach incidents are legal documents that may be used in litigation, regulatory proceedings, and reputation management. Legal review of all external communications is essential.
Legal Review Checklist for Media Statements
- Factual Accuracy: Every fact must be verified - no speculation or assumptions
- Consistency: Must align with regulatory notifications and internal records
- Non-Admission: Avoid language that admits fault or liability
- Forward-Looking Statements: Qualify appropriately to avoid securities law issues
- Privacy Protection: Do not disclose details that could identify individuals
- Investigation Protection: Avoid details that could compromise ongoing investigation
Language Dos and Don'ts
| Instead of... | Use... | Reason |
|---|---|---|
| "We were hacked" | "We experienced a security incident" | Neutral; doesn't assume criminal intent |
| "Our systems were breached" | "Unauthorized access was detected" | Factual; no admission of systemic failure |
| "We failed to protect data" | "We are investigating the incident" | Avoids admission of negligence |
| "All customer data was stolen" | "We are assessing the scope of affected data" | Accurate; avoids overstatement |
| "The attack was sophisticated" | "We are analyzing the incident" | Sophistication claims may be challenged |
Designate a single spokesperson for all media interactions. Legal should: (1) prepare talking points with approved language, (2) conduct mock Q&A sessions, (3) define "no comment" topics, (4) establish real-time approval process for new questions. Unauthorized statements by employees can create serious legal exposure.
Social Media Considerations
- Speed vs. Accuracy: Pressure to respond quickly must not compromise accuracy
- Character limits: Legal review even for short posts - every word matters
- Engagement: Responding to individual comments creates risks - use carefully
- Monitoring: Track social media for misinformation requiring correction
- Screenshot risk: Everything posted can be preserved and used later
5.4 Crisis Communication Framework
Effective crisis communication requires a pre-planned framework, clear roles, and rapid decision-making. Legal counsel must be embedded in the communication process, not a bottleneck.
Communication Approval Workflow
| Communication Type | Approval Required | Timeline |
|---|---|---|
| Regulatory notification | Legal (mandatory), CEO (for material) | Before submission |
| Press release | Legal + Communications + CEO | Before release |
| Customer notification | Legal + DPO | Before sending |
| Employee communication | Legal + HR | Before distribution |
| Social media post | Legal + Communications | Before posting |
| Media interview responses | Pre-approved talking points from Legal | Real-time reference |
Communication Timeline Coordination
- Internal first: Inform employees before external parties learn from media
- Regulatory concurrent: Notify regulators as required by timeline
- Affected individuals: Per DPDPA - notify those whose data is compromised
- Business partners: Per contract requirements
- Public/media: Only after internal and regulatory stakeholders informed
Create communication templates BEFORE incidents occur: (1) holding statement for initial response, (2) notification templates for each regulator, (3) customer notification templates, (4) FAQ document structure. During a crisis, you will not have time to draft from scratch.
Managing Media Inquiries
- Single point of contact: All media inquiries to designated communications person
- Response time commitment: Acknowledge inquiry promptly even if full answer takes longer
- Off-the-record: Nothing is truly off-the-record - assume everything may be published
- Correction requests: Document inaccurate reporting and request corrections formally
- No speculation: "We are investigating" is acceptable; guessing is not
Key Takeaways
- Consistency is critical: All notifications and statements must tell the same story
- Accuracy over speed: Take time to verify facts before communicating
- Non-admission language: Avoid phrases that admit fault or liability
- Get ahead: Proactive disclosure is better than reactive damage control
- Pre-plan templates: Create communication templates before incidents occur
Part 5 Quiz: Test Your Knowledge
Regulatory Communications & Media Management
Test your understanding of regulatory drafting and media communication principles