As healthcare and technology companies experience more frequent cybersecurity breaches, service disruptions, and regulatory investigations, New York corporate attorney Steven I. Okoye is urging executives to rethink how they communicate during crises. As a specialist in digital health and regulatory compliance, Okoye believes that crisis communication must be considered a critical component of a legal strategy, rather than an after-the-fact messaging tactic.
Okoye, a graduate of Rutgers Law School, has strong ties to New Jersey’s legal community. Prior to joining Wilentz, Goldman & Spitzer, P.A., Okoye served as a clerk in New Jersey’s Superior Court and worked in the appellate and chancery courts. His early experience in these types of courts instilled in him a critical skill that he now identifies as essential to effective incident response: the ability to articulate complex concepts clearly while under stress.
“My experiences in New Jersey courts demonstrated that clarity is the foundation upon which trust is established,” Okoye said.
This week, speaking to corporate counsel and compliance officers, he described a “Three Audiences, One Voice” framework for responding to the first hours and days of a crisis. This structured approach provides an organized manner to communicate to employees, regulators and customers without creating fear or increasing exposure to additional liability.
“Panic spreads like wildfire; however, so does calmness,” Okoye said. “Companies that retain a positive public image and maintain business continuity during a crisis are those that communicate with accuracy, empathy and discipline from the moment the crisis begins.”
Framework based on actual case studies
Okoye’s methodology is grounded in over a decade of providing guidance to telemedicine platforms, health tech start-ups, and multiple-state healthcare providers through HIPAA breaches, New York SHIELD Act notifications, and DFS cybersecurity filings. Okoye’s background includes years of experience in the New Jersey legal system and involvement with the New Jersey State Bar.
Okoye’s framework consists of three phases.
Employees first.
Okoye states that all employees must receive a notification from management no later than 30 minutes of a confirmed incident. The initial employee notification should include only verified facts about the incident, instruct employees not to speculate, and provide a timeline for future communications. Okoye compares the process of communicating facts to his judicial clerkships, where he provided concise briefing documents.
Regulators second.
Both the New York Department of Financial Services (DFS) and the U.S. Department of Health and Human Services’ Office for Civil Rights require timely notices of a breach of security, updated factual information and a detailed description of the remediation steps taken by the company. Okoye suggests to his clients that they take the position of containment not excuse, as doing so will enable regulators to see a company acting responsibly and thus as the “adult in the room.”
Customers third, with empathy.
Okoye simply advises against beginning customer communications with technical disclaimers. Instead, begin with a statement acknowledging the customer’s concern and then communicate using clear timelines and language that is understandable to non-technical individuals. Okoye credits his communication style with customers to his time as a mentor to law students competing in high-stress moot court competitions.
Unique challenges in the healthcare sector
Okoye recognizes that, because many of his clients are in the digital health space, the consequences of a data breach can elicit emotional reactions among patients that may not occur in other sectors.
“When we fail in our responsibility to protect patient data, it is perceived as a personal betrayal, as patients entrust us with some of the most private aspects of their lives,” he said.
Okoye’s emphasis on “Privacy By Design”, which involves integrating incident response procedures into product development, enables companies to develop and implement consistent, calm, and compliant communications more rapidly in the event of an emergency. Okoye developed this approach during his externship at Judge Paula Dow in New Jersey’s Chancery Division and his clerkship with Judge Thomas Sumner Jr. in New Jersey’s Appellate Division.
Growing demand for crisis communication expertise
In addition to increasingly rapid regulatory deadlines, increasing expectations from investors and the Securities Exchange Commission’s four-day disclosure rule for material incidents, companies today consider crisis planning a top-of-mind issue for the Board of Directors. Okoye reports that Tabletop Simulations, previously an optional tool, are now mandatory for his Series A and Series B clients prior to raising capital.
“Investors are now requesting the Incident Response Plan prior to reviewing the Cap Table,” he said.
Okoye’s comments reflect similar sentiments expressed in a recent Tech Bullion article, where he stated that transparency is key to digital health. “Secure systems and transparent communication are two sides of the same coin,” he wrote.
Okoye continues to remain connected to the New Jersey legal community through Rutgers Law Alumni Associations and State Bar Initiatives. Corporate counsel can obtain templates and/or schedule simulation sessions with Okoye through his LinkedIn profile or through the New Jersey State Bar Association Referral Service.
Okoye’s message is resonating throughout the industry as cybercrimes continue to escalate. Okoye believes that the ability to communicate effectively during a crisis has become one of the most valuable assets an executive team possesses.
“In a crisis, the calmest voice in the room is often the most powerful,” he said.”