The Sony PlayStation network hack and the millions of customer whose private information might have been accessed is one of the prominent headlines this week. So was TJX and their security breach at its time, being considered the largest data breach in history as over 40 million credit cards had been stolen throughout their stores in the US and Canada. So was every big financial data breach.
For those of you who don’t know, one of Mirror Communications’ clients, CoSoSys, develops endpoint security and data loss prevention solutions. Since I fist started to work with them, more than three years ago, I have been reading about data breaches every single day. I cannot remember the number of hospitals exposing patient data, financial institutions having client details stolen by employees, laptops and flash drives with important databases being lost or stolen, or the number of instances where military units (in the US or other countries) where either broken into and having data stolen or lost because they either weren’t paying attention, or because they did not care to properly dispose of it.
What lacks more than the obvious protection against such security breaches is knowing how to deal with the PR crisis that follows the data loss or theft. So after personally reviewing so many PR fails when it comes to data breaches, here’s a quick guide made up of useful tips to help you better deal with the consequences:
1. Don’t waste time and make the security breach known
I cannot tell you how many times I’ve heard of data breaches being revealed months after happening. The press sometimes gets hold of the news before the customers, creating panic and distrust. The moment you know something happened, let customers know and let the press know. Being the source of information prevents distortions and assumptions.
2. Own it!
It is your fault it happened. Not the hacker’s, not the air-headed employee’s who thought leaving company property in a car in a random parking lot was OK, not the IT guy’s who you fired that put all that project details on the Internet, not the thief’s you let into your company network so easily. You are to blame, it is your fault and the sooner you admit it the better. Employees can be trained, security can be tightened, data can be protected. If anyone can prevent something like this, it is the company in question through their policies and practices.
3. Apologize for it the right way
Yes, it’s good for your customers to know you value their privacy and wouldn’t want them exposed to data theft, fraud and other such individual disasters. But their data has been stolen, lost, or just temporarily made available to anyone with a malicious intent. So while you cared about it, you certainly did not value it enough. You screwed up and you have to apologize. Fast and properly.
4. Explain what happened, but don’t make excuses
Understanding what happened is important for your customers, and seeing you are willing to reveal the details might save some of their shattered trust. While letting them know which circumstances led to the breach, make sure it does not sound like you’re making excuses. They have entrusted their data to you, so you are responsible for what happened to it. Remember, it’s your fault, don’t go looking for escape goats in your version of how it all went down.
5. Be very clear about what you are going to do
Your next actions are extremely important and you have to be clear about new measures being taken. The fact that you’re offering free credit monitoring and investigating the issue is not enough. Your customers need to know that you will invest in improved security solutions and practices, in personnel training and overall business process monitoring. Your goal is not only to solve the current PR nightmare, your main goal should be to do everything you can to prevent a similar event from happening.
6. Keep your customers informed
The press will go on and on about it if this is a high profile case. If the malicious hackers or thieves are caught and go to trial, they will cover it. They will cover any move you make that has to do with the breach. Therefore, it is better to send updates to your customers and present your progress and your point of view. Remember the assumptions and distortions you want to keep under control!
7. If there is a class action suit, don’t start a witch hunt against customers
Some might feel free credit card monitoring and an apology is not enough. If their bank account was wiped clean or some very sensitive information has been revealed, their position is understandable. Don’t start bashing plaintiffs, they are former customers and how you treat them will take its tool on how your remaining customers see your brand and your company.
The truth is, in most cases, companies affected by breaches try to settle lawsuits fast and cut their brand image losses. That is the right way to go. Even if you pay less at the end of a long court battle, it will definitely cost you more to counter the negativity that will surround your brand afterwards.
This is just a quick guide to get you through the immediate PR crisis yielded by the data breach. After handling the immediate consequences, you will have to invest PR and marketing dollars into repairing long term effects, such as losing part of your customers, a general distrust from potential ones and getting enough positive stories out to balance all the data breach coverage.
You might think that if you are a smaller company and less people worry about your security breach means you’re better off. The truth is the press might not give you that much attention, but losing half of your customer base is a bigger blow than it is for a big corporation. Also, when you’ll want to make your positive messages known, you will deal with the same attitude from the press – lack of interest.
The best way to deal with data breaches and the PR disasters they cause is… to prevent them, of course. But allthough they happen more often than we even want to know, companies still have the wrong attitude – it only happens to others, it cannot really happen to me. So they postpone their investment in proper network protection, endpoint security and data loss prevention. They never get around to that training for their staff. They only remember it when the data breach hits the news or their customers and they’re flooded with angry messages.