By Carin McDonald, Principal
CMM Strategic Communications
We’ve all been there. The phone rings, and the caller ID flashes the name of a loved one. You pick up, and before you can even say “hello,” you hear the words: “I’m alright.”
Instantly, your stomach drops. You didn’t even know you were worried, but those three words – those immediate, unsolicited assurances – tell you everything you need to know: something happened. Whatever it was, it was serious enough that the first instinct was to manage your panic before explaining the situation.
At that moment, “I’m alright” stops being reassurance. It becomes confirmation that there’s a problem.
In business, and especially in public relations, we recognize this feeling. It is the sinking sensation that follows a corporate announcement meant to calm the waters, only to reveal the depth of the storm – much like the massive Canvas LMS security breach that unfolded this past weekend.
The Corporate “I’m Alright”
In the corporate world, the equivalent of that heart-stopping phone call is the sudden, urgent, and often overly reassuring communication that pops up when a crisis is brewing. It’s the update stating, “Rest Assured, Everything is Stable,” when in reality, users are being greeted by ransom notes on their login pages.
For PR professionals, those statements often create the opposite reaction. Just like you can’t fully relax when a loved one immediately says “I’m alright,” stakeholders become even more alert when reassurance comes before transparency.
The Preemptive Strike Confirms the Worry
The Loved One: Your daughter calls: “I’m alright, but I was involved in a car accident where someone hit me in the back and pushed my car into the one in front of me. Don’t worry, I’m not hurt.”
You may be relieved she’s safe, but your mind immediately jumps to everything she hasn’t told you yet.
The Faux Pas: On May 2nd, Instructure (the parent company of Canvas) announced they had “contained” a cybersecurity incident. However, by May 7th, the hacking group publicly defaced the login page with a ransom demand, undermining the company’s earlier reassurance and signaling that the situation was far from resolved.
The Lesson: When communication begins with an immediate assurance of stability instead of clear facts, the recipient skips right past it and focuses on the incident itself. Transparency builds trust far more effectively than premature declarations.
The Inevitability of Follow-Up Questions
The Loved One: You respond: “Are you sure you’re alright? What exactly happened? Where are you? Did you call the police?”
Reassurance alone never satisfies the concern. People want details, context and next steps.
The Faux Pas: As the Canvas breach escalated, students and educators were left in the dark during critical final exam periods. While the company stated that sensitive data like passwords and financial info weren’t involved, users were left to panic over the theft of 3.65 terabytes of data, including 275 million records and billions of private messages.
The Lesson: Saying “we’re fine” without providing meaningful context only creates frustration and speculation. In a crisis, stakeholders need clear information, consistent updates and guidance on what happens next.
Trust is Managed, Not Declared
The Loved One: “The bumper is damaged, but I can probably still drive the car,” they say, while conveniently leaving out that the muffler is crushed and the vehicle may not actually be safe to drive.
Avoiding the hard details doesn’t reduce concern. It usually increases it.
The Faux Pas: Instructure initially treated the breach as a minor incident, but it evolved into the largest educational security breach on record, affecting over 8,800 institutions worldwide. Minimizing the impact because you don’t want stakeholders to panic almost always backfires when the full scope – like a May 12th deadline for a massive ransom – finally comes to light.
The Lesson: Trust is a currency you earn back through complete honesty and clear instruction. Avoiding the hard questions forces your stakeholders to guess, and they usually guess the worst.
The Better Opening Line
So what should organizations do when the unavoidable incident happens? Ditch the corporate equivalent of “I’m alright.” Instead, communicate with clarity and accountability from the start.
The Organization: “We are aware of the unauthorized access to our systems and the ransom demand currently visible to users. We sincerely apologize for the disruption during this critical final-exam season. While we have secured the login pages, we are still investigating the full extent of the data accessed. We will provide our next detailed update at 2:00 PM EST.”
That kind of response doesn’t downplay the severity of the situation. Instead, it manages anxiety by acknowledging reality, providing direction and committing to continued communication.
In PR, remember the gut-wrenching feeling of that phone call. If your communication feels like a knee-jerk, self-protective statement designed to calm your fears rather than inform your stakeholders, chances are you’ve just triggered the corporate version of the “I’m Alright” moment – and you’ve got a long day/week/month/year of questions ahead of you.