Right now, it’s really easy to pick on Yahoo. Imagine having to tell millions of your customers their information has been compromised. Now, imagine you have to do it again two months later.
In a statement a week ago today, Yahoo’s Chief Information Security Officer blamed an unauthorized third party for stealing data associated with more than one billion user accounts. Yahoo says the breach announced this month is “likely distinct” from the breach it announced in September. That breach affected at least 500 million users. The second one affected twice that many. To quote the Associated Press, Yahoo broke its “own humiliating record for the biggest security breach in history.”
After the first breach, experts wondered if Verizon will pull out of its more than $4 billion bid for Yahoo. They’re asking the same questions again.
Don’t get me wrong, there are some legitimate questions Yahoo will have to answer. How could this happen on such a massive scale? How could this happen twice? What is the true damage done to customers whose information has been compromised? How will Yahoo ever be able to assure its customers of the safety and privacy they expect?
While the general public and reporters pose these questions to Yahoo, this latest data breach should inspire all executives and communications professionals to look within and ask whether their company is prepared to react and respond to a data breach.
While Yahoo is the latest high-profile example, make no mistake: a new data breach is confirmed every day. Many companies are breached even though they devote significant resources to protecting their systems. In 2014, former FireEye CEO Dave DeWalt told 60 Minutes that “97 percent of all companies are getting breached.” Your company either has been or likely will be breached.
Brad Shaw was Chief Communications Officer for The Home Depot when the company was famously breached. The Home Depot is also held up as an example of how to communicate during a data breach. In talking about the breach, Shaw said it was important for the company to move fast, be authentic, stay current and (most importantly) stay calm while responding.
A company’s ability to do those things comes from having a plan to communicate before, during and after a breach. There are many roles to play. We’ve blogged about PR’s role in a cybersecurity crisis. Our crisis management team’s approach is detailed. But it really comes down to two basic principles: planning and testing.
Before the breach: preparation
First, there should be clear protocols for reporting security breaches and other crises to top management. If a breach is detected, key decision-makers must get to the table – fast – for a no-nonsense “what do we know?” session.
This team of executives should include senior decision-makers from legal, HR, communications, operations, security, IT and all other relevant departments. As the Federal Deposit Insurance Corp.’s Martin Gruenberg put it in a 2014 speech quoted by American Banker: “Cybersecurity is no longer just an issue for the IT department.”
Assemble your external crisis support team as soon as possible. Ideally, your company will have already established strategic relationships and set up lines of communication with outside entities – forensic IT experts, credit monitoring services, insurers, and attorneys specializing in cybersecurity liability and law – before any cybersecurity breach or records theft. Lining up a trusted outside team in advance will help you respond quickly and allay concerns without losing time.
Your communications counsel can help craft the messages for call center responders. Your company, in turn, should be prepared to answer a range of tough questions clearly – and with understanding, empathy and a clear action plan. Put yourself in the shoes of a person who has just been informed that his or her personal information has been lost or compromised. You would want clear assurances that your company is fully committed to making things right.
In the heat of the breach: what do to during the crisis
Understand if your client is truly on the verge of a crisis situation. There is a difference between a reputational crisis and reputational challenge. The first step is to understand the situation and potential impact on the organization and its stakeholders, and the interest level the public and/or media are likely to have. Underreacting to a crisis or overreacting to a challenge can harm a company’s brand almost as much as the precipitating event. Pull in trusted crisis response experts to help evaluate if needed.
As the situation evolves, the executive team should ask the tough questions, get the facts and stay in constant contact with one another – and with the people addressing the problem on the front lines. Before a crisis communications plan is enacted, address the following:
- Which records or data sets were compromised?
- What level of information is at risk?
- Where and how were the records stored before the theft or breach?
- How many people may be affected by the data breach?
- Have we sealed the “door” in which hackers entered? Are there any other potential portals still open?
- Have relevant law enforcement agencies been notified? Are those agencies able to share any findings?
- If the suspects are employees or former employees, what relevant information can be gleaned from their employment file? Were full and complete background checks done on them? Were there previous disciplinary problems or any previous indications of trouble?
- What steps were taken to secure the records or data before the breach? What is being done to secure remaining data?
Set up the response center, and take action to help. As soon as possible, your company should offer credit monitoring, fraud protection and identity security services to those affected by the data breach. This service should include a hotline run by a trusted credit-monitoring partner. (Note: State laws may vary, so the offers sent to affected individuals may need to be specifically tailored.)
Remember your internal audience. Your company should vigilantly communicate with employees so they can serve as ambassadors in the community if the company encounters a reputational crisis or challenge. Informed, engaged employees are powerful assets to help preserve a company’s credibility and reputation.
Don’t wing it. Craft a clear internal protocol that employees should follow if they are called by affected individuals, reporters, neighbors or customers. Make sure employees have the phone number and email address of the designated company spokesperson. This is not the time for employees to freestyle.
Don’t stay silent when you should break the story. One of the most important judgment calls in this process is deciding when to proactively go public with the news. There are major risks in delaying. As Forbes.com contributor Davia Temin wrote about Target’s data breach crisis: “No matter how much it hurts, when you have a problem that affects your customers directly, do not wait to go public. You don’t need to have all the answers, but you do need to get ahead of (and own) the problem.”
Get out in front. This can demonstrate good faith and a commitment to finding a solution. It can also prevent rumors from spreading in a vacuum. Once the news is public, commit to communicating clearly and consistently. Do not minimize the problem, and do not make false assurances. The need to retract overly optimistic assurances can destroy your company’s credibility. Be forthright with customers, employees, vendors, clients, the media and other key constituencies. Don’t be afraid to admit what you don’t know, but let them know you are working to find out.
Decide what to share – and when. It is possible your company’s cybersecurity problem will not morph into a news story, even after communicating with affected individuals. But your company should still have a plan for dealing with media attention. If your company opts not to preemptively let the media know about the problem, draft a brief holding statement about the situation and keep it on file for use if your company receives inquiries from journalists.
Monitor media coverage. Task a team to closely monitor any coverage in social media or traditional media. Assemble an up-to-date media list for use if and when your company share updates. If reporters call, respond promptly – at least to confirm your company have received their inquiries and are working on the request. Silence can be deadly.
After the breach
Some of the steps recommended during the breach would also be helpful to continue once the breach has been contained.
- Determine if your company should have been storing the records in question in the first place.
- Understand where and how the records were stored before the theft of breach.
- Determine if the cause of the breach has been fixed and whether there are other ways hackers could infiltrate security.
- If law enforcement agencies are able to share any findings of their investigation, review the information to determine what can be learned from the breach and applied to improve security, communication and response.
A cyber breach, or any crisis, is as much about how you respond as it is about what has happened to your company. The credibility of your brand is affected by both, and preparing for the inevitable will position you for success.