Six months into 2021 and there have already been over 30 major data security breaches in the U.S. including Facebook, LinkedIn, Experian, GEICO, Hobby Lobby, Kroger, Cancer Treatment Centers, California DMV, and U.S. Cellular. In fact there are an estimated 10 million data breaches a day, a global cost of $6 trillion.
Global ransomware damage costs may carry a $3.5 million price tag on an individual company data breach. In addition, the frequency and impact of attacks could leave many enterprises in critical situations, like the recent Colonial Pipeline ransomware attack. Unfortunately, 60% of smaller companies go out of business six months following a cyber attack.
The U.S. Government and cybersecurity experts strongly advise companies to prepare for data breaches. Every industry and every size company is vulnerable. Although one of the Administration’s priorities is to strengthen U.S. cybersecurity, they are also urging business leaders to “strengthen their cyberdefenses to protect the American public and our economy.”
According to MarketingProfs, a security data breach can “serve as a stage to show the world that your company is either unorganized and uncaring or responsible and human.” It cites Johnson & Johnson’s handling of the Tylenol poisoning crisis of 1982 as an example of effective crisis communication and marketing best practices.
It is imperative, then, for companies to prepare for a data breach that could expose your customers’ private data. After a breach, customers are more interested in what you are going to do rather than what you have done to stop such an attack (which obviously didn’t work).
Here are some ways to prepare, communicate and repair after a security breach.
It is less about if you will have a crisis and more about when. You must prepare in advance for a security breach. There is no such thing as a 100% secure networking environment, especially in light of remote working due to Covid-19. Expect to have a crisis.
The first step is to know your vulnerabilities. If you have an IT team, talk to them about how you can avoid any obvious mishaps. What security protocols and systems are in place, and how can you make sure they are followed? Then confirm that information is frequently communicated within your organization.
Additionally, it is important to understand if the applications and platforms are secure. Conduct research on any CRM or third-party app you are using and be sure other departments are doing the same. Do they back up their data and use multi-factor authentication? Do they have a history of security breaches?
Next, be sure to communicate your security policies with your customers and website visitors. If you are changing anything, communicate that clearly. Assure them of all of the steps you are taking to keep their data secure; they will be more willing to trust you and forgive you when something goes wrong.
Last but not least, create a crisis communications plan. What will happen in the unfortunate scenario that your data is breached? A crisis team of top-level executives from legal, communications, security, IT and other relevant departments should be identified to create a plan that includes a spokesperson; prepared statements for internal and external stakeholders and the general public; and other steps.
A well-planned data breach response can convey that you are in control of the situation, concerned about your customers’ privacy and committed to tightening security procedures to help prevent future attacks.
—Tim Francis, Travelers Enterprise Cyber Lead.
When you are first notified of a security breach, it is time to gather information and put your crisis communications plan into action. According to Pushkin PR, top-level actions include determining what data was compromised, who was impacted, and if it has been resolved.
Once you know as much as you can, it is time to inform those affected quickly and directly. The General Data Protection Regulation (GDPR) requires companies to alert their customers within 72 hours of discovery of a data breach.
First, get in touch with those who were impacted and then follow these steps:
- Be honest and straightforward.
- Show remorse and articulate how seriously you are taking the situation.
- Explain how the breach will affect those impacted and what they can do.
- Answer any potential questions that you can.
- Focus on the relationship and how you can strengthen it.
Next you will need to make an official statement about the event on your website and potentially to the media. It is important to continually monitor social media channels and have any and all communications documented, reviewed, and handled with expediency and honesty.
This will be one of the most important and longest lasting parts of the process. Follow up with your customers, stakeholders and the general public. Keep them updated via email, blog, social media, internal comms and any other channels. Continue to monitor your online reputation and be prepared to share where you are in the repair and rebuild process.
An Interactions Marketing survey found that 85% of shoppers who had personal information stolen as a result of a security breach tell others about their experience; 33% take to social media to complain about their experience.
So what now?
Prepare a script that answers standard questions after the initial period. Never respond with “no comment.” Provide contact information for media inquiries and for stakeholders looking for additional information. Explain what you have already done and what more you will do. This is also the time to listen and to be compassionate, not the time to become defensive.
No one wants to handle a crisis that involves a data breach. However, it will most likely happen to your company at some point. It can take a while to bounce back and repair the damage a data breach causes to brand reputation. A well-executed marketing plan for data breaches is the best possible way to manage a tough situation. Patience and time will always play a key role in this rebuilding process.