Editor’s Note: Are you interested in learning more about Reputation Risk Management? Register for PRSA’s Reputation Risk Management Certificate Program https://bit.ly/prsarrm
Scott Farrell, President, Global Corporate Communications, Golin
When you Google “top crises of 2015,” included in the top-10 of nearly every list are one or more of the high-profile data breaches of 2015. Chick-Fil-A, Blue Cross Blue Shield, the U.S. Office of Personnel Management, Harvard University, American Airlines and dating service Ashley Madison are just a few of the organizations that fulfilled the prophecy of former FBI director Robert Mueller III, who said at a 2012 RSA cybersecurity conference, “There are only two types of companies: those that have been hacked and those that will be hacked.”
While the data don’t yet suggest that the pervasiveness of cybercrime has reached the saturation point suggested by Cisco CEO John Chambers, who echoed Mueller in a 2015 World Economic Forum blog post and said that the two types of companies were “those who have been hacked and those who don’t know they’ve been hacked,” the frequency and sophistication of cybercrime incidents continues to escalate at an astounding pace.
The cybersecurity industry’s most exhaustive annual study of data breaches confirms this. Verizon’s annual Data Breach Investigations Report cited 1,367 definitive data breaches in 2013. In 2014, that number rose to 2,100 and jumped to 3,141 in 2015 — nearly a 230 percent increase over three years. Verizon also acknowledges it’s not likely every breach is covered by its annual tracking study, so the growth rate could be even more impressive.
Breaches are broadening in scope as well, without regard for an organization’s public or private status, sector or size. No organization is bulletproof when it comes to the potential compromise of data.
A costly situation
The threat is significant, and so are the costs. A recent Forbes Insights report pegged the cost of cyberattacks to businesses at $400 billion to $500 billion a year. But closer to home for the PR professional is the potential reputation and brand damage that accompanies a breach.
In a survey by U.K. fraud-prevention company Semafone, 86 percent of respondents said they would not or would be very likely to not do business with a company that had faced a data breach involving credit or debit card information. According to a report published by Forbes Insights and IBM, 46 percent of companies have suffered damage to reputation and brand value as a result of a data breach. And senior corporate executives surveyed by Experian Data Breach Resolution and Ponemon Institute estimated that on average, a brand’s loss of value ranged from $184 million to $332 million, depending on what information was compromised.
For the PR professional tasked with protecting organizational reputation and brand value, these facts and trends will trigger more than a few sleepless nights. If your organization has been the target of a breach, then hopefully you were prepared and the communications process was flawless. Or you’ve already learned from the miscues and mistakes that come from not being prepared.
Crisis preparedness and management
If your current risk assessment and crisis plan do not address how your organization will manage stakeholder engagement in the event of a data breach, put that task at the top of your to-do list today. And while you’re at it, if your crisis plan is more than three years old, or it hasn’t been tested by an actual event or simulation during the same period of time, then it’s time for a refresh. The impact of social media alone on crisis preparedness and management is enough to render even modestly dated plans obsolete.
Sit down with your chief information security officer and the IT team, along with risk management or other teams in your organization that are tasked with business continuity. Make sure the communications plan is fully aligned with both the IT group’s operational plan for breach management and the business continuity plan. Clearly define communications’ role in both plans so the rules of engagement are clear and don’t have to be developed or negotiated in the heat of the crisis.
Become familiar with the relevant state and federal disclosure requirements for a breach. Speed is critical during a crisis, but everything must be done in the context of legal and operational considerations.
Finally, add a data breach simulation to your crisis training schedule. And if you don’t test your team or your plan with simulations at least once a year, start now and make a data breach the first exercise. The best plan on paper can’t always account for conflicting personalities and priorities in the war room. It’s best to work those out in a drill rather than in the heat of a data breach when millions of dollars, legal liability and corporate and brand reputations are on the line.
Fundamental communications truths
In a 2014 consumer sentiment survey by Experian Data Breach Resolution and Ponemon Institute, half of all respondents said they had personal information lost or stolen as a result of a data breach in the previous year. That is a 100 percent increase from the same survey conducted two years earlier, when 25 percent surveyed were victims of a breach.
As data breaches become more common, it is important to keep in mind three fundamental truths:
- Few people will care about how your organization got into the situation in the first place, so go easy on the backstory. They want to know that the management team is on top of the situation and that they’re going to fix things fast.
- News of the breach and customer reaction will move at Internet speed, which means you have to as well, but always within the operational constraints of the IT team and legal and regulatory requirements regarding disclosure.
- How your organization manages the aftermath impacts reputation and relationships with stakeholders more than the breach. Communications plays a significant role in that process.
As with all crises, the way communications is managed at the outset heavily influences both immediate and downstream responses and reactions from media and stakeholders. With that in mind, remember:
- Initial messaging should focus on the facts. Be as straightforward and transparent as possible. Explain the risks that consumers will face as a result of the breach. Often, what they imagine could happen will be worse than what actually happens. Anxiety drops in the presence of good information. And when anxiety drops, so does negative sentiment about the company.
- Breaches are measured and their newsworthiness is determined in part by the number of data records, or terabytes, stolen. Resist the numbers trap. If you share a low number, which may be all you have at first, you run the risk of having to increase the number later, triggering another news cycle and the impression that the company really isn’t in control of the situation. Share a high number too early and you may escalate the likelihood of negative coverage and consumer response. It’s best to leave the door open on numbers (while complying with disclosure requirements) until there is reasonable certainty by the experts on the scale and scope of the breach.
- Tell people what the company is doing to fix the problem and, as soon as possible, outline the reforms that will prevent a similar breach from happening again. They need to see a management team in control and tapping the right resources inside and outside of the company to solve the problem once and for all.
- Let people know what you’re going to do for them. Often, it’s an immediate offer of identity theft protection and credit monitoring. The sooner customers see that their concerns are going to be addressed, and addressed because the company feels it’s the right thing to do versus what it’s legally obligated to do, the less anxious they are.
- Finally, don’t underestimate the power of an apology. In the Experian/Ponemon study, 43 percent of respondents said a “sincere and personal” apology would prevent them from discontinuing their relationship with a company following a data breach. That was closely followed by 41 percent who mentioned free identify theft protection and credit monitoring services. The next most-highly cited remedial action — access to a call center to respond to concerns and provide information — was mentioned by only 15 percent of respondents. Clearly, the least expensive option could be the most powerful.
Studies indicate that the time it takes to repair the reputational damage and diminished brand value resulting from a data breach ranges from eight months to more than a year, depending on the nature of the breach. A properly developed and tested crisis communications plan and flawless execution in the heat of the moment are the best ways to ensure that your organization will emerge from a breach with minimal impact on its reputation and relationships with stakeholders, as well as put your company on a fast track to a rapid recovery.
This article originally appeared in the Summer 2016 issue of PRSA’s The Strategist