Five Tips for Building Cyber Security Awareness and Policy Toolkit

Suzanne Ross and Kathy Stershic

Kathy Stershic, an information technology and policy expert from Dialog Research & Communications, led a dialogue on Wednesday, with the Public Relations Society of America National Capital Chapter’s Public Affairs, Government, and Accredited Public Relations professionals on “The PR Professional’s Role in Managing Data Privacy Risk.”


Kathy Stershic

Knowledgeable about global business, she distills complex information, and helps clients connect the bigger picture in even highly disparate situations – such as between cultures in the Silicon Valley and DC.

Kathy generously shared five tips with PRSA NCC members to help you get ahead of the data privacy and protection issue and lead your organization’s cyber security and data breach preparedness and response efforts.

Begin to build your PR communications and messaging toolkit such as:

  • Prepare policy statements
  • Explain the context of the problem
  • What you are doing to correct the problem – to the extent possible
  • What you are doing to prevent the problem from recurrence

Self Assessment: What is Your Digital Footprint and Cyber Security Awareness?

Engage leadership, IT experts and staff in constructive dialogue:

  • What are your goals: Do you need to protect your data, your business, your reputation, your time and operations?

If possible, employ a privacy-by-design approach which is proactive and preventative.  It takes into account human values and privacy protections, throughout your data system.

  • What is a realistic threat? More than 75 percent of small business IT pros report that employees are their weakest link for cyber-attack.

A privacy impact assessment will help you identify strengths, weaknesses and risk while enabling an informed choice about opportunities your business could take to protect its reputation, business operations and stakeholders.

Stershic Tip #1:  

Know what’s promised—and not—in your company’s privacy notice

Privacy notices – those external-facing documents that give customers the Ts & Cs of sharing their data with you – have become de facto for most businesses, and are often legally required. Even though these policies can be lengthy and challenging to read, they’re a binding agreement with anyone whose data you collect. And there ARE people who read them! Know what your company notice says is being done with collected data – and make sure that actual practices align to that promise.

Stershic Tip #2

Match your product or service claims to reality

No one can truly ‘ensure’ that data security is 100% guaranteed or that your company’s approach is absolutely the best practice or your product is entirely defect-free. If you make such claims, someone just may hold you to them. Find clever ways to make value claims that still match what is truly possible. You’ll need to run it by Legal anyway, so get a head start and wow them with your savvy messaging skills!

Stershic Tip #3

Understand what you’re collecting and why you need it

It is so tempting to gather as much data as you can because “someday” it may come in handy. Data gets stale fast, limiting its useful shelf life. If you have a breach or some regulator comes poking around, you may well have to substantiate a business rationale for holding whatever data you possess. That means a real business purpose now, not a “maybe someday we’ll use it” reason. You can’t get in trouble with what you don’t have, so gather what you truly need and let go the rest.

Stershic Tip #4

Educate staff and remain vigilant

  • Phishing campaigns attack lists of contacts simulating outreach from banks, retailers or government agencies.
  • Malware malicious code can be transferred to legitimate (trusted) sources, including through file transfer protocol (FTP) servers, that store and transfer malware tools.  Any app or link can contain embedded malware.
  • Prevent vandals by understanding (generally) how malware trojans differ and what can be done to prevent them, how botnets can backdoor into your system, and how to prevent viruses and worms from infiltrating your system.
  • While malicious outsider cyber-attacks are real and increasing, the majority of data breaches are caused by human error. Accidental data exposure, lost devices, disgruntled workers doing bad things, papers laying around, unsecured computer screens…any of this ever happen in your workplace? Staying aware of what’s available to whom can go a long way in keeping data secure.

Stershic Tip #5

Overcome Inertia

It’s natural to feel overwhelmed. With years of marketing expertise and current data privacy know-how, Kathy Stershic at Dialog Research & Communications is ready to be your on-demand data privacy manager—for a little or a lot of help.

Not Thinking About Data Privacy? Think Again.

PRSA Dialogue: March 29, 2017
Suzanne Ross, APR

Are you providing educational and strategic counsel on cyber security and privacy to leadership and colleagues within your organization and the publics you serve? 

As high-profile data breaches and invasive malware unfold in the news at increasing frequency, it’s an opportune time to use this heightened awareness to educate your stakeholders about data hygiene and preventive practices, as well as begin to develop a cyber security policy and scenario-based response plan.


Kathy Stershic facilitates PRSA-NCC dialogue. Photo credit: Suzanne Ross

Kathy Stershic, an information technology and policy expert from Dialog Research & Communications, led a dialogue on Wednesday, with the Public Relations Society of America National Capital Chapter’s Public Affairs, Government, and Accredited Public Relations professionals on “The PR Professional’s Role in Managing Data Privacy Risk.”

She explained, the increasingly complex and interactive devices in our environments through the Internet of things (IOT) such as sensors that monitor traffic lights and building functions, or devices with embedded and networked functions (glasses, watches, refrigerators, televisions and beds) can offer powerful social benefits, but they also enable an unwanted bridge into our private lives.

Discussion Focused on Conflict to Core Values

Stershic said, “From cyber breaches to data brokering, there’s a lot of confusion about what’s happening with our data.”

Collectively, event participants were mostly concerned about two issues:
i) Sustaining trust personally in their interactions
ii) Sustaining trust on behalf of the organizations and stakeholders they serve

  • Assumption: The capturing of datasets on U.S. consumers through alliances and relationships is eroding trust.
  • Response: Make trust central to your brand promise and core message.

What are the Legal and Regulatory Boundaries of Privacy Expectations and Implied Consent?

People in the U.S. hold strongly to rights under the Fourth Amendment of the Constitution that protects our right to personal privacy, also referred as the “right to be left alone.”

The Supreme Court Fourth Amendment case, Boyd v. United States, 116 U.S. 616 (1886), describes the invasion of privacy as not only physical, but applies to all “ invasion of his indefeasible right of personal security, personal liberty, and private property[.]”

Invasion of our privacy through these devices can have damaging outcomes not only to individuals but also to companies liable for exposure of embarrassing information and intrusion of privacy.  Stershic said, “It’s an issue of brand trust as much as liability.”

Orin Kerr, a Professor at The George Washington University Law School explains, the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, applies from a legal point of view, only to actions of the government.  However, the Fourth Amendment principles and assumptions also inform our common conception of the boundary between the public and private spheres.[i]

What Triggers Changed Public Opinions?

Data collection itself wasn’t objectionable until use of data conflicted with fundamental values. One participant at the event commented, “I didn’t realize that by signing a permission to using a database of an Internet service or wireless communication provider, I also gave them permission to share or sell my information to another third party.”

The U.S. third-party doctrine is your voluntary approval to third parties such as banks, phone companies, Internet service providers (ISPs), and e-mail servers to allow access to your information and you have “no reasonable expectation of privacy.”

Although you may have given your authorization for data collection, with the understanding that you were agreeing to principles to help prevent objectionable content, you may not have realized your risk exposure. While protections under the first amendment for the use of a person’s name or likeness for commercial purposes, or exclusive advantage and benefit, could result in misappropriation, or False light, requirements such as proof of knowledge and indifference to a person’s preferences and injury, make it difficult to pursue legal remedies. Anyway, after discovery, your reputation is already potentially compromised by adjacencies that are not necessarily “uniformly objectionable.”

Holding firm to the third-party doctrine, Facebook’s data use policy statement is explicit: “You give us permission to use your name, and profile picture, content and information in connection with commercial sponsored or related content served or enhanced by us.”

On the one side, the Supreme Court opined the terms of service contract did not extend to target advertising or create profiles of users’ preferences. The Court held that this distinction provided an appropriate way to draw the line between reasonable and unreasonable expectations of privacy, concluding that “[b]ecause the two processes were allegedly separate, consent to one does not equate to consent to the other.”[ii]

On the other side, Congress on Tuesday, repealed the Federal Communications Commission’s plan to roll out stronger privacy rules and protections administrated by the Federal Trade Commission. What impact this will have on the collection and targeting of messages to the consumer is unclear as this also changes the regulatory framework governing internet service providers and other telecommunication carriers.


Over the short term, the public and private sector will likely continue to reconcile and accept this practice as a tradeoff for preferred services and access to business opportunities reaching some four billion people globally at an estimated $4 trillion revenue opportunity.  The benefits of free-market innovation are unlikely to be curbed unless a re-calibration occurs as a result of cyber intrusion, manipulation and impersonation influences public opinion, impact markets and public safety.

Follow-up: See Kathy Stershic’s FIVE Tips for Developing your Data Breach and Information Policy Toolkit coming on Wednesday, April 6.



Internet Association of Privacy Professionals:

US State Breach Notification Laws: -technology/security-breach-notification-laws.aspx.

US Federal Trade Commission: and security

The FTC’s Data Breach Response: A Guide for Business and business blog, provide steps that businesses can take and whom to contact in the event of a data breach, as well as a model breach notification letter.



[ii] Google Inc. Gmail Litig., 2013 LEXIS 17278, at *13.

PRSA: What’s In It For You?

By Samantha Villegas, SaviPR

Villegas-Samantha-copy-427x424This year, I began my first term as a director on PRSA’s National Board. I was voted into the position by the Leadership Assembly last fall, having run from the floor during the meeting. The speech I gave, I was told afterward by many of the delegates, was what won them over. Board Chair Jane Dvorak told me that it was the fact that I mentioned the gratitude I felt for PRSA that earned her vote, and that of other board members in the room.
It’s true, too, as anyone who knows me will tell you, I often say that I owe my career to PRSA, and I mean that literally. While I landed my first PR job on my own more than 20 years ago, it was the mentor I met there that introduced me to the organization. Once a member of PRSA, it was the APR that gave this gal with no PR in my academic background, the knowledge, confidence and credibility I needed to excel at my work and advance in my positions. Then it was the network of colleagues I met at events and on committees who, whenever I needed advice or was looking for a new opportunity, answered with amazing counsel or recommendations or referrals.

So, when a mentor called me last summer to ask if I would consider running for the National Board, of course I jumped at the chance to lend my time and attention to the organization and the people who had lent so much of their time and attention to me. The value I have derived from my membership did not happen extemporaneously. Our behavior, as members, has a direct and substantial influence over the value we derive from PRSA. Here are a few behaviors that I have found greatly enhance the value and overall experience.

  1. Treat your PRSA membership like a gym membership. It’s the same thing. You don’t magically receive value just by joining. You pay the membership fee for the opportunity to work out. Just like you must go the gym to work out to get fit, you must come to events and get involved to realize the true benefit of membership. So, go to and review the list of committees. Pick the one you are most interested in and join them. Flex your PR muscle for us and you will be rewarded with additional experience for your resume, and a close-knit group of local professionals who will offer you counsel and referral when needed.
  2. Be Humble. There’s a lot of ego in our field, which I think, collectively, does us all a big disservice, because that arrogance tricks us into thinking we have nothing left to learn. It stunts our growth and drives people away. When you acknowledge your weaknesses, and believe you have more to learn, you not only open yourself up to further professional and personal growth, you open yourself up to others, which is something we need to do in an industry based on relationships.
  3. Invest Because You Are Worth It. Times are tight. I get it. But the worst possible thing you can do is not join PRSA or attend a professional development class because your employer won’t pay for you. It’s not your employer’s job to look out for your future, it’s yours. So, invest your own money if they won’t. Take advantage of the quarterly credit card payment option (around $65 every three months) and just make sure you set aside $22/month to cover it. It’s doable. Then, avail yourself to the dozens of free webinars and get the membership rate at events. Trust me, no one in my position after 20 years says, wow, I regret spending that money on my career.
  4. Pay it Forward. I am where I am in my career today because dozens of people gave back in some way to help me get here. Now it’s my turn. I share what I know, share opportunities, share failures, whatever I’ve learned, the value grows exponentially when shared.  So, take what you need from PRSA, then turn around and give some of yourself back to it.

A Warm Welcome from PRSA-NCC!

By Lisa Joahil

pr-new1If you feel like networking is a task and making the first move is the hardest part, you are not alone. Many students graduate from college and attend networking events for the very first time as working professionals. Many working professionals also feel like it is their first day at college when they start networking at their new job. So, how do we break the ice? How do we overcome that awkward feeling of rejection and lack of confidence?

As I walked through my very first networking event in Washington D.C., at PRSA-NCC’s New Professionals Happy Hour at La Tasca, I quickly learned the solution. I was greeted by members of the New Professionals committee, Jenna Mosley and Josh Gordon, who immediately made me feel welcomed and provided meaningful tips for transitioning into American culture. I recently moved to the area and right at that moment, it dawned on me. The solution was to smile. The welcoming smiles of everyone from various industries within public relations (PR) made it easier to smile back and feel relaxed. At that moment, I was convinced that this was the first step to breaking the ice at any networking event.


From Left to Right: Dolly Maiah, Janicia Moore, Eric Winkfield, and Kelsi Oliver

The New Professionals Happy Hour boasted an attendance of over 50 PR professionals representing their various organizations in an environment that provided an opportunity to form meaningful connections. Many organizations and institutions were represented including American University, Elon University, Full On Communications, Hager Sharp and Sound Exchange. Everyone was very eager to share business cards and offer professional advice and in no time, the smiles turned into laughter. Networking became easier and the connections I made that night would form lasting impressions as I transitioned from another country.

I really enjoyed learning from others that evening and would recommend that if you are a new PR professional in town, mark your calendar when you receive networking emails from PRSA-NCC. The connections you could make will prove to be invaluable. Happy Networking!

Build Career Resilience With Accreditation in Public Relations (APR)

APRBuild Career Resilience With Accreditation in Public Relations (APR)
Interview with Suzanne Lundin-Ross, chair of the APR committee

Could you tell us a bit about yourself and your role in the chapter?
Working with PR leaders as the chair of the Accreditation Committee inspires me to amplify the breadth and depth of our knowledge across the PRSA network. I earned my APR in 2008 while working overseas. With more than 15 years of international public relations and development expertise in crisis and disaster management, public health, food security, infrastructure and economic growth in Asia, Africa, and Latin America, I hope to bridge local and national APR expertise to a global platform.

What is Accreditation in Public Relations (APR)?
Accreditation is formal recognition that you are capable of meeting advanced industry standards much like other professional certifications such as those held by your accountant, dentist, or architect.Accredited Public Relations professionals, also called APRs, distinguish from other PR practitioners in that they demonstrate broad business and communications knowledge, a strategic perspective and sound judgment, and also a personal commitment to life-long professional development.

Why would PR pros pursue the accreditation? 
The APR offers branded value to organizations and members alike.For companies and organizations, confidence in APR competency is a given- an APR Pro has been independently tested and validated; Importantly, APRs offer added-advantage: they are able to parse metrics that matter for achieving business results. Whether they work to promote a positive policy environment, respond to issues, or help build the business bottom line, they achieve a return on investment.

For public relations practitioners, the APR validates higher-level strategic thinking and management skills—but more than a badge of quality assurance, the APR is a banner line of your toolkit and network help you access growth opportunities and career mobility.

How should PR practitioners begin their accreditation process?
Before applying for the APR, we encourage candidates to join our introductory overview session, called a Jump-start. Registration is now open for the 21 April, half-day, accreditation Jump-start. Register here:

This introductory session, led by seasoned APR facilitators, provides a general overview of professional competencies: knowledge, skills, and abilities (KSAs) that focus on:
·       Strategic design, research, planning, implementation, and evaluation
·       Public relations management
·       Ethics and legal practices
·       Issue and crisis management
·       Theoretical and historical underpinnings of the practice

We discuss resources such as core texts and tools specifically applicable to the two components of the APR accreditation examination process:
·       The case study panel presentation assessment
·       The computer-based examination

We wrap up with a discussion about how to develop an individualized APR work-plan.

Is APR training appropriate for both those thinking about the APR and those seriously seeking the APR?

Absolutely! While the APR designation demonstrates a gold-standard of professional practice, each person’s pathway to the APR is unique.

Some pursue studies independently, some take years to test their mettle, while others seek support from the PRSA on-line program (see: and/or chapter services to lock-down this designation of expertise.

We recognize that a professional support system contributes to an individual’s success. At NCC (see, our volunteers not only facilitate the PRSA national on-line course but also serve as a local point of contact for training, coaching, and mentoring. This helps streamline understanding about ever-improving standards of practice required for the APR.

To help address specific knowledge and skills gaps the NCC offers “deep-dive” Saturday seminars that focus on core KSAs. Our seminar in May will focus on strategic planning, and the seminar in June will focus on regulatory, legal and ethical practices. If we learn from military practitioners that they need a specialized course, we are ready to offer APR+M certificate training.

We also offer APR meet-ups to practice:
a)    Application of the APR framework and KSAs to situations in the current news
b)    Scenario-based questions like those used on the computer examination, to strengthen capacity to make appropriate recommendations on-the-spot, as well as test-taking skills and confidence.

Accreditation sounds like a professional fitness challenge.

Well, it is, and in a good way!

We help practitioners build a strong practice and a powerful professional network of current and emerging APR pros: the key to personal and professional career resiliency.

You attained accreditation! Now what? Build your network


Susan Apgood, APR; Robert Krueger; Sultana Ali, APR; Suzanne Ross, APR, Chair APR Committee; Samantha Villegas, APR.

Recently a colleague and APR panelist with the National Capital Chapter of PRSA Pat Van Nelson wrote an article on LinkedIn ( sharing her experiences during a job search. She urged professionals to remain diligent in building and maintaining a professional network throughout their careers.

Pat and others like her tell us a professional network is not only a key component of a career crisis management plan, but a resource to gain insights into an industry, referrals for a project and guidance about a specific career path or challenge. The plan isn’t formed on the day you learned your employer was downsizing, the day your partner pursued a job in a different state or the day you achieved your APR. It’s a plan that requires strategic thought, curiosity, risk, accountability and sustained commitment to the changes you want to make throughout your career and life.

As Stephen Dupont, APR, said in his blog, “We are all in the relationships business…sharing what we know, and witnessing the journeys of others is the first step in building a lifetime of fruitful relationships.”

One step you can take in building a relationship network is to serve on an APR panel presentation review. You don’t have to join the APR committee, simply volunteer your skills and expertise for a specific activity. At our National Capital Chapter, APRs volunteer to teach one of six Knowledge, Skills, and Abilities in Jump-start introductory courses. In addition, they lead facilitated study events that “drill-down” into key KSA content, and participate in meet-ups such as the new member lunch Dec. 1, to share experiences and career insights.

Often, APRs are connectors helping those who seek career guidance to meet specialists for information interviews. Additional opportunities to begin or join a conversation include sharing your thoughts through publications such as PRsay, and platforms such as the chapter blog or the LinkedIn APR Group and Twitter feed:, @PRSA_NCC, #PRSAchat, #ItTakesAPRo.

As you contemplate New Year’s resolutions for 2017, add “relationship network” to the top of your career plan goal. At the National Capital Chapter, we’re here to help you get started.

Written and compiled by Suzanne Ross

PRSA-NCC Members Experience VIP Tour of Pentagon’s Press Operations

By Bonnie Piper, co-chair of the Public Affairs Committee

img_1787Twenty chapter members had the privilege of an all-access behind the scenes tour of the press operations at Pentagon, the headquarters of the Department of Defense. PRSA-NCC member Patrick L. Evans, Defense Department Spokesperson for the office of the Secretary of Defense led the VIP tour.

Reporters know the Pentagon as a “shoe-leather beat” because you walk everywhere in the Pentagon.That walking exercise translates to covering corridors that total 17.5 miles and a building footprint as large as 34 acres.

Navy Captain Jeff Davis, Director of the DOD Press Office introduced the PRSA-NCC members to the DOD Press Briefing Room. So much is going on in the Pentagon that there is a resident press crew of 40 different bureaus plus an additional 250 credentialed reporters who cover the Pentagon and military issues. He estimates the DOD press office is the most accessible office than any other Executive Branch agency.

img_1797Social media has stepped up the pace of reporting – a tweet drives news, and it’s hard to prove the negative. His deputy director, Tara Rigler, described a typical day for a DOD press officer that begins at 5:00 am by reviewing email news service (from bases around the world), then contacting various DOD offices at the Pentagon or abroad to clarify information and then develop talking points. There are 25 press officers who cover a broad spectrum of knowledge and each has continuity with one account. In addition, there is an Office of Digital News headed by a political appointee.
The DOD Press office is a very different place since 9/11. Before 9/11, the Pentagon was downsizing, there was no digital media, no social media, no Facebook, and cell phones were new. The press office had more control – reporters had to come into the Pentagon to get news. Since 9/11, everyone now has cell phones and Facebook pages and people share news; social media has changed everything.

Is everything on the record? There are ground rules that must be followed, to include giving background for context or to help a reporter understand a technical point. After the tour, the group moved on to Sine Irish Pub and Restaurant for happy hour.

The event was organized by Bonnie Piper and John Scally of the Public Affairs and Government committee.