*A version of this article can be found in the January 2015 issue of O’Dwyer’s Magazine.
You may have heard the saying: “There are two types of companies. Those who have been hacked, and those about to be.” Cybersecurity – or, more precisely, lack of cybersecurity – poses a massive risk to the reputations, revenues, customers and employees of businesses.
At Jackson Spalding, we have developed a crisis management approach for records theft and data breaches that stresses the need for swiftness, decisiveness and thoughtful touch. Here’s a quick download –
First and foremost, there should be clear protocols for reporting security breaches to top management in the event of an incident. If a breach is detected, key decision-makers must get to the table and start a fast, no-nonsense “what do we know” session. Decision-makers should include senior representatives from legal, HR, communications, operations, security, IT and all other relevant departments. This is a senior-level priority, and the crisis management team needs to reflect that. The team should ask the tough questions, get the facts and stay in constant contact as the situation evolves.
Some key tough questions to ask before a crisis communications plan can be enacted:
• Which records or data sets were compromised?
• What level of information is at risk?
• Should the company have been storing these records in the first place?
• Where and how were the records stored before the theft or breach?
• How many people may be affected by the data breach?
• How can we contact those compromised people to alert them? Should we alert them specifically or make a blanket statement?
• Has the door in which hackers were able to enter been closed? Are there any other potential portals still open?
• Have relevant law enforcement agencies been notified? Are those agencies able to share any findings about the incident?
• Have any arrests been made?
• If the suspects are employees or former employees of the client, what relevant information can be gleaned from their employment file? Were full and complete background checks done on them? Were there previous disciplinary problems or any previous indications of trouble?
• What steps were taken to secure the records or data before the breach? What is being done to secure remaining data?
Steps for Success
And now, the race to save your brand’s reputation begins:
Understand if you are truly on the verge of a crisis situation. Glen Jackson wrote a piece a few years ago on the difference between a reputational crisis and reputational challenge. The first step is to understand the situation and potential impact on the organization, stakeholders and interest level the public or media could have in the situation. Underreacting to a crisis or overreacting to a challenge could cause immense harm to a company’s brand, possibly resulting in a fatal blow beyond repair. Pull in experts to help evaluate if needed. We do this for our clients all the time.
Assemble your external support team as soon as possible. In any situation involving theft of records or sensitive personal information, it is important to respond quickly to allay concerns about identity theft. Ideally, you will have already established a relationship with a credit monitoring service in advance so you don’t lose time. Line up a credit monitoring service for affected individuals, and pay for it. Your legal team and PR counsel should work in concert to help.
Set up the war room. As soon as possible, create a hotline to serve as a contact point for affected individuals to call and ask questions. Depending on the number of victims, this can be done in-house or contracted to a trusted partner. Develop a script with a wide range of potential tough questions and clear answers. Put yourself in the shoes of a person who has just been informed that their personal information has been lost or compromised. Which questions would you ask?
Don’t wing it. Have a clear internal protocol that staffers follow in the event they are called by an affected individual, a reporter or a concerned customer. Make sure your staffers are armed with talking points and the phone number and email address of the designated spokesperson. This is not the time for employees to freestyle.
Monitor media coverage. Task a team to closely monitor any coverage in social or traditional media. Assemble an up-to-date media list for use if and when you share updates. If a reporter calls, aim to respond promptly – at least to let them know you have received their inquiry and are working on their request. Silence can be deadly.
Decide what to share – and when. It is possible that your cybersecurity problem does not morph into public view. The media may not be aware of it. You should still have a plan for dealing with public attention. If you opt not to preemptively let the public know about the problem, draft a brief holding statement about the situation and keep it on file. Use it if you receive inquiries from journalists. Stay in your swim lane: if a question is better left to law enforcement, direct the media to law enforcement.
Don’t stay silent when you should break the story. Deciding if the breach is serious enough to merit preemptively going public with the news is one of the most important judgment calls in this process. As Forbes.com contributor Davia Temin wrote about Target’s data breach crisis: “No matter how much it hurts, when you have a problem that affects your customers directly, do not wait to go public. You don’t need to have all the answers, but you do need to get ahead of (and own) the problem.”
In some cases, it will be important to get out in front of the story yourself. This can demonstrate good faith and a commitment to finding a solution. It can also prevent rumors from spreading in a vacuum. In any case, once the news is public, commit to communicating clearly and consistently. Do not minimize the problem, and do not make false assurances. Retracting over-optimistic assurances will destroy your credibility. Be forthright with your customers, employees, vendors, clients, the media and other key constituencies. Don’t be afraid to admit what you don’t know, but let them know you are working to find out.
Take action to help. You should consider offering free credit monitoring and fraud alerts to those affected by the theft. The sooner you make contact with a credit monitoring agency to set up this service, the better. Planning ahead is essential. In a crisis, you do not want to be calling potential partners and investigating pricing options for the first time. These relationships should already be established, with clear lines of communication. Again, your PR counsel can make these introductions or build these relationship on your behalf. Reach out to affected individuals as soon as possible with information about how they can sign up for the credit monitoring.
Clarify the rules. Make sure there are clear guidelines for the people manning the crisis hotline. They need to convey understanding, empathy and a clear action plan for helping callers with the threat to their personal information. They should be trained to relay relevant, up-to-date information that has been vetted by you, the client.
Keep key stakeholders informed. A portion of the calls from affected individuals will need to be “escalated” to the attention of senior management because of the severity of the caller’s problem or the intensity of their anger. Make sure a “hot file” for follow-up is updated every day and distributed to key decision-makers at least daily.
Remember your internal audience. As you communicate with the press, you should be equally vigilant to communicate with your employees. Keep them informed, and prepare them with key messages so they can be ambassadors for you in the community. If you keep your employees in the know, they can help preserve your company’s credibility and reputation.
You are not a cop, but don’t stop the cop. Stay in close contact with law enforcement as they conduct their investigation. Some communications you may want to make could hamper or derail an investigation. Know what you can say before you say it. However, you may need to communicate more quickly or aggressively than law enforcement does. You have a different job, and you’re on a different timeline.
These guidelines can help you protect your reputation in the event of a breach. If you take decisive and well-considered steps, a crisis can turn into opportunity in the long run – a chance to demonstrate character and genuine concern for those affected by the breach. As Stephen M.R. Covey wrote, “Nothing is as fast as the speed of trust.” In a hyper-connected world, the right communications strategy – and the right attitude towards people jeopardized by security risks – can help protect and even strengthen that trust.
* * *
A similar article on cybersecurity crisis communications by Jeremiah McWilliams was featured in the January 2015 issue of O’Dwyer’s Magazine.