The PR Battle Fronts in Digital Times – Breach Management
Overview: This last article in our three-part series focuses on PR crises – specifically, breach management. We focus on breaches because it is such a growing problem as commerce and business entities are increasingly occupying the same digital space as a more nefarious sect who prefer the darker side of the cyber world.
PR strategy is perhaps most crucial when it comes to managing crises. A crisis could be a flurry of complaints following a faulty batch of products or a devastating data breach that exposes customers’ personal data. Either one harms the brand and affects company performance.
Unfortunately, the digital age and advances in communication and social media have made crises and breach part and parcel of doing business, which is why cybersecurity is one of the fastest growing industry sectors. With that being the case, an important component of PR is to communicate efforts to protect a brand from threats and mitigate the ensuing reputational harm.
According to a recent Ponemon Institute study, data breaches are one of the top three types of incidents that affect brand reputation, and consumers often expect compensation after a security compromise. However, the good news is that the fallout from a data breach can be minimized if there is a communication strategy in place that can be activated immediately.
Timing is Everything – Act Now
Thirty percent of consumers who had been affected by a breach discontinued their relationship with the affected organization. And who can blame them? In some cases, companies have delayed notifying customers of a hack to avoid the consequences but, by protecting their own interests, they put those of their customers at risk. Any delay in informing the public increases the risk that the stolen data has already been sold on the black market.
Unfortunately, industry-wide standards for safety remain completely insufficient or simply nonexistent as more personal data become digitally accessible, giving companies wiggle room to manage crises poorly but legally.
Equifax, the credit reporting agency, took six weeks to let its 143 million customers know that their private data were at risk. The optics were not good as high-level executives delayed telling the public while grabbing the opportunity to sell off $2 million of the company’s stock before it took a nosedive. The stock fell 18 percent within four days of the announcement.
Yahoo failed to report a data breach for over a year, and both Target and Neiman Marcus were hit with similar criticism for not going public about credit card data breaches until a third-party cybersecurity blog exposed the events and the retailers were forced to come forward.
But the facts show that a quick, transparent response to crises such as data breaches is the best way to restore brand reputation. According to Centrify.com, companies that responded to a breach and were quick to self-report the event saw their stock value recover after an average of seven days. In contrast, companies that delayed a response saw their stock price decline over a 90-day period, on average.
Breaking the News
The aftermath of a data breach is not the time to withhold information. When it comes to a breach, things can’t really get much worse unless a company attempts to manipulate the facts. It’s better to lay it all out there rather than hold back and deal with backlash and accusations of concealing information.
When a breach occurs, PR is responsible for managing expectations. It’s better for the customer to assume the worst-case scenario and then feel a sense of relief than it is to have the reality sugar-coated. Data from the Ponemon Institute confirm that customers want the truth, the whole truth, and nothing but the truth.
One way to frame the message strategically is to ask for customers’ help in combating the problem. For example, involve victims in investigations and ask them to provide useful information. This accomplishes two things: it maintains a positive relationship and shows proactive behavior on the part of the affected company.
While the strategy might not work for tech firms such as Google, which are already expected to be crackerjacks in tech warfare, it might work for non-tech firms who would garner some respect from consumers if their remedial efforts had been extensive but still failed.
But what would really make a difference to consumers is a sincere and honest apology. While just over 50 percent of respondents to the Ponemon survey said that nothing could dissuade them from discontinuing a relationship with a company that experienced a breach, over 40 percent said that a personal, sincere apology would make a difference.
An effective apology is a fast one. And an apology does not necessarily mean that a company is accepting liability, it merely shows empathy and concern for those affected. So, given that a company’s reputation can be destroyed on social media in a matter of hours, there is no reason to hold back on this first step in damage control.
It’s important also to rally the troops and not just rely on PR customer messaging efforts in the event of a disaster. There should be transparency in three directions: the customer, the employees, and the regulators or authorities. Internally, the PR, HR, and legal teams need to collaborate and act fast, and they should all have had input when creating a disaster plan (more on this in the section, below).
For a good example of how to handle a data breach, look to eBay. eBay identified the breach early on and informed customers what was exposed and what steps they should take to protect themselves. eBay also informed customers what the company was doing to address the threat. The company’s reputation suffered minimal damage because the company was transparent, looked competent in its handling of the threat, and addressed the problem head on.
A Cunning Communications Plan for Data Breaches
The Harvard Business Review gives guidelines for a strategic communication plan for disaster management. Such a plan should be created with the input of key stakeholders such as clients and customers, partners and suppliers, employees, social media, and the press.
Here are the bare bones of a disaster management communications plan that could also be applied to other crisis events.
Form a crisis communication team composed of those best equipped to handle it. Decide their roles and the real-time messaging to be released.
Have the security team conduct an impact assessment – an inventory of data assets and potential risks. Security solutions can identify a company’s vulnerabilities and, in some cases, eliminate them with early monitoring and detection.
Determine the company’s legal obligations in terms of disclosure and lay out the plan to fulfill them.
Pinpoint advocates that might support the cause in the event of a disaster. They might be the customer base, business partners, investors, influencers, or members of the media. Part of PR is building and maintaining supportive relationships with media partners. These partners can be an extension of an internal team in the event of a data breach when a company needs all the help it can get.
Identify spokespeople who can speak to the media and who will be well-received. They may not be a company’s usual spokesperson, and different spokespeople might be required for different audiences. The head of engineering might be best received by an IT audience while the CMO might be the best person to engage the media.
Decide what to disclose when a breach happens, but transparency is the best policy. The facts of a breach unfold over time, and there are few good reasons, if any, not to be open about what is known as soon as it is known. The important thing is to communicate the steps that are being taken to protect and help customers and minimize the fall out.
Following a breach, provide updates on what is being done to improve security. Revisit your plan often. Keep spokespeople well-informed and ready to go.
Managing Social Media Amidst Breach Disasters?
Developing a communications plan for a breach is doable but anticipating ensuing social media or word-of-mouth crises are perhaps more challenging. The contexts are so broad, it is impossible to anticipate all of the scenarios that might occur.
In the case of the Target breach in 2013, the MSL Group analyzed the subsequent social media chatter. They monitored the aftermath of the Target breach using a tool called NUVI, which churned out real-time data: who was tweeting, what they were tweeting, which channels had the most influence, the trending sentiments of the chatter, and the most shared links.
This analysis proved that monitoring and managing social media is a long-term, constant process if brand reputation is to withstand crises. All media, old and new, are affected by crises, but breaking news influencers are still traditional media outlets who use new media as communication channels. With such expert snipers as opponents, there’s no way around the need to have an ongoing PR effort to defend against social media attacks.
Disaster management, then, is proactive PR developed with collaboration from internal and external allies. The wise company will "own" the data breach from the very moment it becomes aware of it. Companies that stand a chance of saving their reputation inform the customers who are impacted and educate and guide them through the process of mitigating further losses.
Successful companies are transparent about what they know, when they know it, and the steps they are taking to rectify the situation. Crisis management is a war on many fronts, but it can be won if the propaganda is true and credible.