Rumination #11 – When a data breach occurs, communicate with your customers early and often
Recovering from a data breach is like recovering from a skunk attack. No matter where or when you go in the house the stink still clings.
Consider Sony’s Playstation data breach in 2011. It took until July 2014 for the dust to start to settle on this one. That’s when Sony offered a $15 million court settlement to U.S. users of its PlayStation Network (PSN). When the network was hacked three years before, the personal account information of 77 million users was exposed in one of the largest data breaches on record. It didn’t help that it took months after the incident for all PSN gamers to get back to blasting bad guys and obliterating ogres. In the meanwhile, Sony took a heavy financial hit.
That same year, in June 2011, Citigroup announced that hackers had acquired the personal information of 200,000 credit card holders. The settlement for that one wasn’t offered until 2013 when the company revealed that the breach actually exposed more than 360,000 North American Citi-issued customers’names, account numbers and contact information.
Given the sheer terror a data breach unleashes, it’s not surprising that corporate victims focus their attention and resources on finding out how the breaches occurred and what security holes they have to plug. But what about the communications side of things? What should they be saying to consumers who are scared and angry about effects of the breach while they are working on the fixes?
Start with “We’re On It”–As with any crisis, the first thing your target audience wants to know is that you’re aware of the situation and that you’re on it. A simple statement that comes as soon as you are aware of the breach goes a long way towards muting initial panic. This initial response doesn’t need to go into a lot of detail about how many were affected, what was hacked and how it happened. Chances are you won’t know that, so it’s best not to commit at that time. A simple message that doesn’t over-reach beyond what you know is best.
Tell your story promptly– Share verifiable facts quickly as they come in. Your goal is to get control of the message and put yourself out there as the most up-to-date source of accurate information. If you don’t, tweets and retweets will put forth their own theories about the reason and extent of the attack.
We recently worked with a client whose ex-employee spewed forth his theories about “foreign agents”hacking into their database. While untrue, his story was so intriguing that both the twittersphere and even a local TV station showcased his take on things. Had the organization taken control of the rumor mill earlier, they could have put out the truth, which was that had verifiable proof that there was no breach. Instead, a vindictive ex-employee’s ravings took center stage first and we had to play catch-up afterwards.
Tell it all ways – Keep the public and stakeholders in the loop as you move your investigation forward using traditional, on-line and even paid media. One caveat here: Social is only useful if you already have an active presence. Starting a Facebook page or twitter account during a crisis is fruitless.
Whether or not you’re active on social, your website needs to be THE source for the latest on the breach. We suggest you showcase information on the site in three places: Prominently on the home page, as the number one item in your news section and on a dedicated landing page that addresses the breach. Target’s landing page is still active almost year after the retailer was breached during the 2013 holiday season. Ten months later, the company still updates it, advising: “Visit this page for regular updates and reliable information about our data breach, including all official company communications.” By the way, it took a while for Target to get control of the story originally. The news media were all over it for 24 hours before they addressed the breach. In the interim, breach victims were unable to reach Target’s call center or website and angry customers went to the company’s Facebook page to express their frustration.
Protect the victims- Many states have legislated how companies must react to breachs in terms of both communications and customer protection. Whether or not your state requires it, we advise offering free credit monitoring as the first step to rebuilding customer trust. In addition, reassure those victims by delivering ongoing updates about what you’re doing to protect them. Those communications should also showcase what you’re doing to prevent similar attacks in the future.
Put on your Big Girl (or Big Boy) Panties and apologize–Corporate arrogance or legal considerations may put the brakes on any kind of apology. This is a bad idea. Craft an apology that acknowledges the impact of the breach on its victims. Demonstrate concern and compassion for what they are going through with an eye towards your attorneys’ (well-founded) concerns about future litigation. As we advised another client going through a gut-wrenching crisis: “We’re not suggesting you should say ‘We’re sorry we killed her.’ We’re suggesting you say, ‘We’re sorry she’s dead.’”
Remember it ain’t over when it’s over –Once your security geniuses and IT gurus have done their investigation and fixed any flaws, there’s a tendency to think you’re done. You’re not. As we’ve seen in other data breaches, the memory lingers on, bolstered by rumor, twitter and fear. Nurture victims well beyond the operational fixes. Assure them that this is an ongoing concern of yours and a legitimate concern of theirs. Communicate what you’ve learned, what you’ve changed and why you value their trust. Acknowledge that their trust in you has taken a hit and assure them you’re going to work to regain it.
Data breaches have the ability to deliver long-term reputation damage. Demonstrating care, compassion and concern are important steps towards reconstructing reputation and rebuilding trust.
