Data breaches come with huge costs in terms of fines, negative publicity, lost business and sweeteners to affected customers, so it’s no wonder that many are kept in house if at all possible.

However, if a breach is serious enough to warrant reporting to the regulators, there is a strong chance that the ‘truth will out’ and, if the news is going to hit the media, it is vital that the game is played on your terms. Yet nowhere in breach crisis management is the lack of planning more acute than in the sphere of public relations control.

‘Too many times we see companies making policies on the hoof,’ says Dhadda. ‘It looks shoddy because they haven’t thought it through at all, and the tension and anxiety of the situation can come across in the information that is given out.’

First reports on the breach are likely to be seized upon by the media and widely circulated around the Web via bloggers. As with other areas of breach management, the key is preparation.

‘Like everything else, you should have, on record for rapid access, a pre-assembled response,’ says Martin. ‘Journalists want a statement immediately, but it doesn’t have to be the final version – it just needs to be something general, such as “we are investigating” that will buy you two hours.’

‘With that little extra time you can assess what you are doing and the scale of the problem, then make a proper statement later.’

A considered approach is key. With everyone concentrating on their own area of expertise and responsibility, marketing experts say public relations professionals are essential in managing a concerted response.

‘Professionals who are trained in communications will be more focused because, when a website goes down or gets hacked, the company will be absorbed with trying to get back on line,’ says Dhadda. ‘People are focused on their individual roles and not taking a 360° view of the situation. Everyone else is absorbed; IT staff are busy dealing with the systems, the CEO is dealing with damage, the legal team will be working out their liabilities. A PR professional will only be thinking: “What needs to be said, at what time and to whom?”’

Keeping the media and public posted is critical to external perception of the way the crisis is being handled so, once the decision to go public has been made, it should be followed with conviction.

‘If an accident occurs, silence is the most deadly – you need to instantly share with the public what policies were in place and say that the investigation is ongoing – that will placate people,’ says Dhadda.

Once someone in the company has been appointed to liaise with the media, they should be fully briefed on the situation and the company line, and be available for comment because, if the story has momentum, then the journalists will keep banging away, or will simply quote rumours springing up in the blogosphere.

‘The story has to be moved on and there is airtime and print space to be filled, so a company needs to have the right information available from the right people,’ says Dhadda. ‘Otherwise, the journalists will go to their second and third sources, and they might be the people that you don’t want to hear talking.’

The role of public relations doesn’t stop at massaging the message through the crisis, but should also include placing positive stories such as what the company has done to help affected customers. For example, releases should include details of any credit monitoring services offered and, in particular, anything the company has done that is above and beyond its legal responsibilities.

Letters of notification also benefit from the light touch of spin. Decisions need to be made as to whether to use a ‘Dear Mrs Smith’ or a blanket ‘Attention valued customers’ approach, and just how much detail to make public.

After disclosure, the biggest drain on resources is managing the fallout and, in many cases, this involves keeping existing customers sweet.

Understandably, they will be worried about what the lost data means to them, and the risk of exposure to identity fraud.

It’s now common practice to offer credit monitoring to ensure that data your company has spilt aren’t used by ID fraudsters to target the people whose details were compromised.

Services from companies such as Equifax, Experian and TransUnionCorp offer monitoring services, but these obviously push up the price of post incident care. Ex-post costs in the UK currently run at around £15 per file lost, according to the Ponemon Institute, while in the US the cost is a significantly higher $48.

Statistically, most victims will not take the offer up, which at least reduces potential costs, but some consumers will want recompense for all costs incurred and loss of earnings for the time spent organising replacement documents.

Consumers affected by the infamous TJX credit card number breach have been offered three years’ credit monitoring, $20,000 of identity theft insurance, reimbursement for the costs of replacing driver’s licences and other ID sensitive paperwork, plus vouchers to cover their inconvenience. TJX also felt obliged to offer all victims access to a one-day sale where 15% was slashed off all prices in stores.

The total cost of the breach is unknown, but if post-crisis spending matched Ponemon’s average and is multiplied by the figure of the 15 million live card details harvested by hackers, the bill for keeping consumers safe and sweet would approach $720 million.