Our connected world has enabled companies to understand and interact with consumers in much more sophisticated ways. At the same time, hackers are upping the ante with full-blown attacks that are becoming impossible to ignore. And by all accounts, this ride is only picking up speed. Recent high-profile data breaches from Equifax, Uber and, more recently, Nissan Canada are shining a spotlight on corporations and pushing governments to act.
Naturally, consumers are concerned. According to FleishmanHillard’s 2017 Authenticity Gap study, almost 60 per cent of engaged Canadians agree that companies are not taking data security threats seriously and are not investing enough in their IT to protect against breaches.
Vulnerabilities in a company’s cybersecurity can result from several factors, from malicious attacks, to unaware employees, to outdated IT systems. Vulnerabilities are inevitable; the difference between being secure and insecure is often how quickly you respond.
Read the original article on the Centre on Reputation
But what does this mean for a business’ reputation? How companies communicate with their key stakeholders during a breach goes a long way in determining the impact a data incident will have on consumer confidence. For communications professionals, this means extensive planning before your company is targeted by hackers to ensure that the right cadence and content of information is communicated to the right audiences at the appropriate time.
When planning for a cyber crisis, communications experts must recognize that we can’t tackle the work in a silo and that the best approach involves working alongside our counterparts from legal and insurance.
I sat down with Imran Ahmad, a Toronto-based lawyer with the law firm Miller Thomson LLP and who specializes in cybersecurity, to gain his insights on communications around a data breach.
“The number one thing companies must communicate during a breach is that the matter is well in hand and illustrate that there are clear next steps,” says Ahmad. “The message cannot be, ‘We’ve been breached, and we’ll get back to you.’ You must demonstrate that you’re in control of the situation, you’re working with regulators and law enforcement, and you have your clients’ best interests in mind.”
Ahmad cites the 2014 Home Depot credit card payment system hack as an exceptional example of how to communicate during a cybersecurity crisis. Following the breach, Home Depot notified the relevant privacy commissioners across Canada, issued press releases and directly contacted 500,000 potentially affected customers. The company apologized for the breach, confirmed actions were taken to eradicate the problem, informed impacted parties that they would not have to pay for any of the fraudulent charges and even offered free credit monitoring.
While a class action lawsuit was approved, punitive damages were not awarded in full, partially because of Home Depot’s handling of the situation. As Justice Perell explained as part of his decision:
The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behaviour modification. Home Depot’s voluntarily-offered package of benefits to its customers is superior to the package of benefits achieved in the class actions.
The Home Depot example, however, is the exception to the rule, says Ahmad. Just look at recent cases with Uber and Yahoo’s 2013 breach which only came to light in 2017. However, in trying to demonstrate to customers that they are being proactive and are taking ownership of a breach, companies can inadvertently put themselves in a more tenuous legal position if they don’t spend the time upfront to map out likely outcomes associated with a given communication strategy.
“The biggest mistake companies can make during a data breach, from a legal standpoint, is taking full culpability for the lapse in security,” says Ahmad. “It’s important to strike a balance between assuaging the fears and anger of clients, while also being mindful of potential legal liability implications.”
Ahmad encourages communicators, where appropriate, to use conditional language during a crisis, such as, ‘We regret this breach occurred and are taking the necessary steps to ensure that those affected by the breach are not harmed further.’ Conditional language will allow companies to protect their reputations by expressing empathy, proactively communicating to stakeholders and minimizing the potential damage associated with data theft, while also mitigating their potential liability.
Often, the biggest roadblock to communicating effectively during a breach is fear of the unknown, says Ahmad. Companies worry about how a breach will be perceived and the potential legal implications of engaging with stakeholders. But with new federal regulations on the horizon, requiring businesses to report data breaches or face fines, they must start to overcome this fear.
“The new legal obligation to report breaches and potential penalties for not doing so is a step in the right direction to protect clients and will force companies to engage with their stakeholders,” says Ahmad.
“Those organizations that are prepared for crisis situations and have developed messaging catered to their various stakeholders, whether they are consumers, suppliers, employees, vendors, or shareholders, will be better positioned to mitigate damage from both a legal and reputational standpoint.”
Leslie Walsh is senior vice president of FleishmanHillard HighRoad’s Reputation Practice in Toronto. You can reach her at leslie.walsh@FHhighroad.com