We recently were asked to help a client develop an in-depth crisis communications plan to address a potential external attack on the client’s IT network and a resulting data breach that compromises customer information. This company takes data security very seriously and has an outstanding track record, and it’s to their credit they nonetheless recognize the need to be prepared for the worst.
The theft of personal data and potential for financial harm are among the worst nightmares for consumers. Keeping our personal data safe and protecting us from liability for fraudulent transactions are among our most basic expectations when we do business with a company online. Failure to meet these expectations obviously can have a catastrophic impact on corporate reputation and consumer trust. In a 2014 survey, 45 percent of consumers said they don’t trust retailers to keep their data safe and 12 percent have stopped shopping at a retailer victimized by a data breach.
The list of data breaches in the news is long and alarming:
- Hackers stole information on 37 million users from adult website Ashley Madison and have threatened to reveal user names and details if the site is not shut down.
- Earlier this year, nearly 80 million records were compromised at health plan Anthem, including names, Social Security numbers, dates of birth and other personal information.
- Retailers experiencing major hacks and exposure of customer data over the past two years include TJX Companies (T.J. Maxx, Marshalls, etc.; 2013, about 46 million accounts); Home Depot (2014, 56 million accounts) and Target (2013, 110 million accounts).
Most recently, the U.S. Office of Personnel Management, which maintains records for millions of current and former U.S. government employees, was attacked, allegedly by Chinese hackers. At first, OPM said records were exposed for about 4.5 million federal employees. The total was later revised upward to about 21.5 million employees and others, with exposed records including personal information from background check forms, for people applying for government jobs and for friends and family members identified on the forms.
With these and other incidents in mind, our advice obviously begins with prevention: given the reputational risk and vast legal and financial liability that data breaches can spawn, it’s worth investing substantially in robust IT defenses to avoid such incidents.
Beyond that, here are four things that companies facing a data breach – or preparing for one – should do:
- Assemble the right team to address the situation. You’re going to need IT, legal, operations, customer service, finance and communications around the table, with top management oversight and visibility, given the high degree of reputation risk. Access to forensic IT specialists will be critical in the first few hours. If they’re not on your team now, you should find them before you need them.
- Recognize that you may not know critical details at the start. What happened? Why did it happen? What information was exposed? And most important, how many customers are at risk? In the case of OPM, the initial estimate of at-risk records turned out to be off by a factor of five – whether due to an inability to scope the problem accurately from the start or a desire to hide the true size of the disaster. Be cautious about putting a fence around the size of the problem in your public statements, until you’re sure you know how big it is.
- While your team is working to determine exactly what happened and how many people are affected, be prepared to say what you are doing about it and what you will do to make it right. If you’re a retailer or financial institution and have policies in place that limit customer liability for fraudulent transactions, say so and explain those policies in detail. If you plan to take responsibility for re-issuance of credit cards that may have been compromised on your network – even if you’re not a credit card issuer — communicate that intention and how it will work.
Remedies like these will be expensive, as will resulting lawsuits, which is why your finance team and insurance experts must be at the table.
- Make sure that as least as much thought and energy goes into communicating directly with affected customers as with the news media or other audiences. The guidance and support you provide to the customer service team members who will be answering calls from thousands or millions of concerned or irate customers may have a bigger ultimate impact on your reputation than your media statements. The points of emphasis and level of detail may vary from one audience to the next but the main themes need to be consistent.