While corporate data breaches have become ubiquitous in the 21st century, the response should be anything but routine.
What does “routine” look like? A public statement weeks or months after the breach is discovered, and a free comprehensive package of identity theft protection and credit file monitoring. While the delay in public disclosure often occurs so the company in question can get their house in order, it does nothing to endear their brand to victims of the breach whose public information has been compromised.
Expectations around how Corporate America responds and communicates around data breaches has evolved significantly. Today’s consumers expect quick notification and a company’s full transparency around the breach: how it occurred, what data was exposed or vulnerable, how long the breach lasted, what is being done to shore up cybersecurity defenses so that it never happens again and, critically, live human beings who can answer anxious customer questions in real time over the phone, live-chat, or email.
Here are some recommendations on how to protect your organization’s reputation before, during, and after a cyberattack.
Build Social Equity. Take the time to establish the voice of your brand on those social platforms followed most closely by your key stakeholders. After all, these pages and feeds are the first place those affected by a breach will turn to for information and answers. If your business has established itself as responsive to the needs of those you serve, these channels will be integral in sharing important information when it’s needed most. Don’t think that you can wait until a crisis occurs to start a dialogue with frantic customers on a social media page that has remained relatively dormant.
Build a Plan and Train. Establish a crisis response team and task them with drafting communications protocols in the event of a breach. This should include what information is shared with whom and template language that can be adapted for internal and external stakeholders. This written plan should be reviewed and updated up to twice a year if necessary. Importantly, IT should be comfortable with where their responsibilities begin and where they end during a breach. Don’t forget running simulated tabletop exercises which can be crucial to exposing weaknesses in the chain of crisis command.
Let outside counsel take the lead. Once a breach has occurred, the investigation should ideally be led by third party forensic and legal counsel, not in-house IS or IT leaders. First, outside counsel will possess the expertise and experience to guide your organization through industry, state, federal reporting requirements. Second, when a data breach is discovered, the heat will be on both the IS and or IT departments, and outside consultants will help maintain objectivity in collecting evidence. Legal and forensic counsel should approve all communications as well as any technical remediation in the wake of a suspected breach. Having an attorney involved also maintains privilege over communications in which they’re included, providing an extra layer of protection against what information may or may not be admissible in potential litigation.
Respond rapidly. If a brand takes accountability, but only after weeks of evading blame, it’ll likely suffer the same reputational hit as if it never did. When crisis strikes, the default mode should be to move as quickly as possible. If the breach occurs on a Friday afternoon, waiting until Monday morning to respond won’t cut it. Assemble decision makers immediately to gather the facts, assess the potential fallout, and strategize a response. A lackadaisical response could leave your organization vulnerable and unable to muster the most effective response. With potential media coverage, it puts you behind the eight ball when driving the narrative and conveying your side of the story.
Tell ‘em what you Know. While some crisis counselors a proponents of waiting until the total amount of damage is known begore going public, I’d recommend being upfront as soon as possible and not waiting the weeks or longer required to conduct a full forensic investigation. While it might be painful for the company to provide updates with greater frequency and with each communication reporting a greater number of customer accounts hacked, transparency is paramount.
Consider the data breach of the TJX Companies, discovered in December 2006, when more than 45.6 million credit and debit card numbers were stolen. Even today, the breach is still cited as one of the most poorly managed all because it was kept private until mid-January 2007, apparently at law enforcement’s request. It might have given the company time to shore up its systems and investigate, but to the public, it looked like a retailer sitting on bad PR until after the holiday season. Executives said, “no comment” and only communicated through written statements. When asked if it would provide credit monitoring for effected customers, the company said it “wasn’t necessary.”
Rely on the experts. An attorney who regularly helps organizations in the wake of cyberattacks, once told me the story of sitting in a boardroom, listening to a CEO describe what occurred in a highly publicized data breach at another company. The chief executive assured his board that what had taken place would never happen to their organization. Only the attorney knew from working personally on the breach that it wasn’t what had happened at all. His point: don’t always allow what you read in the media about data breaches to give you a false sense of security. Remember, there’s no shame in being the victim of a cyber-attack. However, there’s no excuse for not being prepared.
T.J. Winick is the author of “Reputation Capital: How to Navigate Crises and Protect Your Greatest Asset,” available September 20th from Berrett-Koehler Publishers. He heads the crisis communications practice at Issues Management Group and is a former journalist.
T.J’s company website: https://issuesgroup.com/
T.J.’s book: https://www.amazon.com/Reputation-Capital-Navigate-Protect-Greatest/dp/1523001844/