Kai Ryssdal: Two very big, very different organizations are grappling with similar problems: Data hacking. Citigroup was hacked three weeks ago. The bank apparently waited to tell its credit card holders while they investigated and then got replacement cards ready. The International Monetary Fund has kept largely mum about its own hack attack, and what confidential files it has about helping to run the global economy that might have been exposed.

Marketplace’s Stacey Vanek Smith has more on the state of corporate anti-hacking preparedness.

Stacey Vanek Smith: No matter who you bank with or where you shop, chances are you have gotten one of those phone calls or emails saying your information has been compromised. Jonathan Winer investigated international crime for the Clinton administration and now consults on cyber security for APCO Worldwide.

Jonathan Winer: Consumer companies like Best Buy and Target, financial companies like Capital One, Chase, Bank of America, Citibank — everybody’s got the problem.

And almost everybody fumbles how they handle it — being too secretive or saying too much. And that’s largely because they don’t have a plan in place to deal with all the hydra heads of a data breach, say Winer.

Winer: You’ve got to have a protocol and the protocol needs to include a legal side, a forensic side, an IT side and a public affairs side.

Speed and competence are key, says David Evans. He’s the CEO of Psychster; it recently teamed up with Microsoft to study the best ways for companies to communicate data breaches on social networks.

David Evans: You don’t have the option of sitting it out. You really do need to get on Twitter and address the issue because the users that are affected by an outage or a breach are going to be discussing it there with or without you.

Evans says it’s tricky, because companies need to wait until they have enough information to make a meaningful announcement and a team set up to handle the situation, so they don’t get flooded with phone calls from panicking customers. But if companies wait too long, they risk looking untrustworthy. A Senate bill would help clear that up — it would put time limits in place for companies to report a data breach.

In New York, I’m Stacey Vanek Smith for Marketplace.