Worried About a Potential Crisis? You Should Be (And Get That Holding Statement Ready)

On a daily basis, we read or hear about a crisis—be it a political scandal, a product recall, or a data breach. It’s easy to brush off these incidents as something that happens to someone else at another company. But the truth is, it can happen to you. And being prepared can greatly mitigate risk and stem the potential tide of media coverage and customer speculation.

Jason Straight (UnitedLex), Valerie Chan (Plat4orm PR), and Debbie Reynolds (Eimer Stahl LLP) speaking at ILTACON 2019.

Jason Straight (UnitedLex), Valerie Chan (Plat4orm PR), and Debbie Reynolds (Eimer Stahl LLP) speaking at ILTACON 2019.

At ILTACON 2019 last week, I had the privilege of speaking on a panel about this very topic—and, more specifically, managing a crisis in the event of a data breach. I was joined by Jason Straight of UnitedLex and Debbie Reynolds of Eimer Stahl LLP.

While these are a fact of modern-day business, in my experience law firms and other companies are often grossly unprepared to respond. Think about it. If something went wrong at your firm tomorrow, how would you proactively handle the crisis? Do you have a plan you can call on immediately? The faster a breach can be identified and the fall-out contained, the lower the cost—both financial and reputational.

So, let’s look at a few key steps you can take. 

First, partner with your communications team. It is paramount that everyone understands how to respond to an incident, and to the questions that will be asked. While it’s not always necessary to communicate a breach to clients until the scope and impact is determined, PR and legal need to be tightly aligned around disclosure obligations to clients and to law enforcement. A good crisis plan will have a recommended response in place for all likely scenarios. 

Secondly, prepare your holding statement. Too many companies assume that press will not find out about a breach—and as a PR professional, I can tell you that is dangerous. You need to be ready to communicate externally while you are determining what happened and who was impacted. A holding statement is a company-approved statement that give press initial information about a crisis and/or what your company is doing to respond to the situation.

A common holding statement approach is: “We are aware of the data breach incident that occurred this morning and are investigating to determine the facts.” (A version of this statement would also be used to assuage any customer concerns in near term). This approach ensures you are not seen to be ignoring press questions or saying, “no comment”, but it’s also not saying anything inaccurate. Such a statement helps press understand that you’re committed to providing them with an answer but need time to gather accurate information.


When drafting a holding statement consider the following general guidelines:

  •  The statement shouldn’t offer any details you don’t know and can’t confirm—stick to the facts.

  • A holding statement is a temporary response. The communications team will be required to follow up with press in a certain time frame with updated information—you may have to move quickly.

  • The communications team needs accurate information to brief press. The crisis response team (including security, IT and senior leadership) must always keep the comms team involved so that can relay accurate updates to press as appropriate. A lack of information or response can be interpreted as internal chaos and lack of control.

  • Your goal is to ensure that press realize the situation is under control—so either it’s no longer worth covering as a story or the coverage is neutral.

Data breaches and cyberattacks are an ever-present threat. As I wrote is 2017, the now-infamous cyberattack on DLA Piper should have served as a warning to all companies, but particularly law firms with incredibly sensitive information. If a firm of that size with strong security resources can be breached, so can you.

So, don’t delay. If don’t already have a crisis communications response plan, my advice is to get started today.