Edited on July 4, 2026.

Doctrine spoke under the Crisis Communications Foundation pillar. Sibling case studies: Target, British Airways.

A breach is a communications event before it is anything else. The forensics take weeks. The narrative takes hours. Whoever wins the first 72 hours defines the story for everyone who reads about it later — customers, regulators, reporters, plaintiffs' lawyers, and the board.

Target learned that in 2013. Sony learned it in 2014. Anthem, JPMorgan, OPM, and Ashley Madison learned it in the twelve months that followed. Every one of those companies had a technical failure. Only some of them had a communications failure on top of it. That distinction is the difference between a bad quarter and a permanent reset of trust.

The firms that get breach response right treat it as a corporate reputation event with a technical root cause — not a technical event with a PR problem attached. That reordering is the whole game.

Hour Zero: Who owns the room

Legal wants to say nothing. IT wants to say nothing until they know everything. Sales wants a script. The CEO wants an answer. Communications has to walk into that room and get a decision inside two hours — because the reporters and the customers are already asking.

The rule: one incident commander, one spokesperson, one approved holding statement, one channel plan. If four departments are each drafting language, four departments will each leak language.

Hours 0 to 24: The holding statement

The holding statement is not a press release. It is a short, humane, factual acknowledgment that a) something happened, b) you are taking it seriously, c) you are working with law enforcement and outside experts, and d) you will update on a specific cadence. That is it. No speculation on scope. No numbers you cannot defend by lunchtime.

Target's early communications in 2013 were criticized because scope estimates kept moving. Every time a number changed, the story restarted. Fewer numbers, held longer, would have collapsed the news cycle faster.

Hours 24 to 48: The customer letter

The customer letter is the single most-read document in the entire breach. It gets forwarded. It gets screenshotted. It gets read out on cable. Write it for the customer sitting at their kitchen table, not for the compliance reviewer sitting in a conference room.

Anthem's 2015 letter — signed by the CEO, plain-English, specific about what was taken and what was not, specific about the free credit monitoring — was studied for a reason. It read like a person wrote it. Every subsequent breach letter that read like a lawyer wrote it lost ground the moment it hit inboxes.

Hours 48 to 72: The reporter list

By day three, three groups of reporters are working the story: the trades, the business desks, and the consumer press. Each one needs different material. Each one is on a different clock. Feeding them from the same one-pager guarantees a bad quote in at least one venue.

The playbook: one background briefing for the trades on the technical response, one on-record executive interview for the business desks on governance and remediation, and one plain-language FAQ for consumer press. Different reporters, different substance, one message spine.

The four failures that repeat

1. Silence. JPMorgan's 2014 disclosure gap became a subplot the bank did not need. When companies go quiet, reporters fill the space with sources who are not authorized and not accurate.

2. Blame. Sony's 2014 breach turned into a months-long story partly because early framing pointed outward before the internal picture was clear. Attribution belongs to the FBI and the forensics firm, not the podium.

3. Legalese. Ashley Madison's 2015 statements read like filings. The audience was millions of frightened users, not a court. Tone matters as much as content.

4. No cadence. OPM's 2015 disclosures dribbled out over months. A stated cadence — even "we will update every Tuesday and Friday until this is resolved" — is worth more than any single statement.

What the board needs to see

Directors do not want a communications plan. They want a communications posture. Three questions, answered in one page:

Who is our spokesperson, and are they trained? What is our escalation ladder for the first six hours? Who is our outside PR counsel, and are they on retainer or on speed dial?

If any of those three answers is "we will figure it out," the company is not ready. Breach response is a muscle. It is built before the incident, not after.

The close

A cyber incident tests three things at once: the technology, the leadership, and the communications. Companies rarely control the first when it counts. They can absolutely control the second and third. The firms that treat breach communications as a boardroom capability — rehearsed, resourced, and owned — come out the other side with customers, share price, and reputation intact. The firms that improvise learn the hard way that a breach is remembered for how it was handled, not for how it happened.


The Crisis Communications Cluster

Crisis communications operates on two clocks in 2026 — the news cycle and the engine cycle. This 72-hour playbook covers the news-cycle mechanics. The pillar and the sibling case studies cover the rest of the discipline.

Ronn Torossian is the founder and chairman of 5W AI Communications, the AI Communications Firm. He is the publisher of Everything-PR and the author of two best-selling editions of For Immediate Release. 5W's crisis communications practice advises corporations, boards, and executives on breach response, litigation communications, and reputation recovery.