In technology circles it is growing wisdom that data breaches – along with death and taxes – are one of life’s three certainties. While not every organization can expect a major data breach like those that plagued Target, Home Depot and Sony, they must all at least be prepared for one. At a time of crisis, business leaders will have to make decisions quickly, and planning out scenarios in advance will help avoid common pitfalls.
Based on our team’s experience in successfully navigating these issues for our clients, we have developed four principles important for any company facing a breach:
Control your own story. One of the mistakes made by a number of companies in this area has been allowing reporters to control of the story of their breach. Target, for example, was continually behind the curve as news of the breach developed, and they compounded that mistake by making inaccurate public statements about the scope of the breach. It is crucially important that companies move as quickly as possible when they learn that a breach has occurred to gather all of the facts about what happened so they can develop a customer mitigation and communications plan and take control of their story before an external force can.
Put customers and their security first. After a year of constant news about data breaches affecting a number of high-profile companies, customers understand that breaches happen. But they are not sympathetic to companies that hide news from them. Companies need to be aggressive in communicating to affected customers and explaining to them what happened, what data might be at risk, and what the company has done to mitigate the damage. In balancing the interests of various stakeholders – the media, shareholders, employees, government regulators – customers must always come first.
Actions speak louder than words. Apologies are great, but what customers and the media really want to know is what a company has done. And just saying that you’ve taken aggressive action isn’t sufficient – companies need to be able to explain in real time and in detail the steps they have taken to protect customers’ data, mitigate any harm, and prevent future breaches from occurring.
Be aggressive in telling your story, but don’t panic. Not every breach is as serious as the ones that affected Target and Home Depot, and they don’t all require the same approach. Furthermore, a breach that affects one customer group does not necessarily call for a company communicating with every customer it has or making a full-scale media apology. It’s important that companies calibrate their response to the breadth of the breach — overreacting can cause as many problems as underreacting.
The landscape on this issue continues to change as more and more breaches become public. To a great extent, companies are now judged not just by a data breach itself, but by how they respond to it: Did they act immediately to close the breach and notify customers, or did they wait while they figured out a public relations plan? Did they notify law enforcement immediately? Did they have a sufficiently robust plan in place in advance for detecting breaches? All of these questions and others will be asked by the media in the first 48 hours after a breach becomes public, and a company needs a team in place that anticipates those questions and develops the right action items to demonstrate, and not just assert, that it has handled the situation appropriately.