Target, Home Depot, Sony and now Anthem. How many data breach hacks are you going to watch happen to others before you get your team in gear and take the necessary precautions to minimize this risk from happening to your organization?
It’s true that the risk of a data breach can never be 100% eliminated (unless you go completely off the grid and back to a world of paper and wire phones), but it can be minimized and then planned for. In fact, it is your responsibility to minimize and plan for this risk. You have a responsibility to your customers, clients, members, employees and even to your organization to take this initiative. (Tweet this!)
I think that many people see this as a risk, though perhaps not one that could happen to them. Until it does. Who would have thought that Sony would be targeted by (allegedly) North Korea on account of a Hollywood production? Not many. But it happened. And you don’t need to be a major brand or organization to have this risk threaten your very livelihood. A data breach hack is a risk to any organization, no matter its size or industry.
How to minimize the risk of a data breach crisis
This is a loaded question and one that I don’t specialize in. However, when minimizing this risk you will need to come at it from all angles. For example:
- Do you have a database of your customers, clients, members or other stakeholders’ confidential information (be it their name, social security number / social insurance number, home address, phone number, banking information, etc.)? If so, how secure is this database?
- Does your organization communicate confidential information and trade secrets via email? If so, how secure it your email service provider and are your employees required to change their passwords regularly?
- If your website was hacked, what could that do to your reputation and how could it immobilize you? How secure is your domain registrar and your hosting service? How secure are your admin logins?
- Do you obtain credit card information from your clients? If so, are you compliant with all regulatory requirements and best practices for ensuring that you don’t end up being the next Target?
- Do you and your employees use smart phones and tablets? Do these mobile devices contain email and other apps that are used for and at work? If so, then your organization is vulnerable to a hack on each of these devices. Have you explained this to your employees and provided them with requirements to keep their mobile devices safe and secure?
Like I said, preventing a data breach is a complicated ordeal and I only touch on the surface with these questions. However, if they made you think or question your level of security, then I’d add this to the top of my to-do list if I were you.
Side note: Are you curious about how mobile technology leaves you and your organization vulnerable? If so, I’m getting ready to publish my next ebook, which is a collaboration with Judith Delaney, and discusses everything you need to know about mobile technology: How to keep your organization safe from hacks and how to leverage mobile as a powerful crisis communications tool. If you’re interested in being notified when this ebook gets published, then send me an email and I’ll make sure to add you to a very special list!
How to plan for and respond to a data breach crisis
Like I said above, the risk of a data breach hack can never be fully prevented. Considering this fact and considering the high probability that this risk may one day become your living nightmare, then planning for such a crisis within your crisis communication plan is a must do.
It was recently brought to my attention that there isn’t currently a lot of information available out there on how to prepare a crisis communications plan for a data breach or hack. Since this is an area that I do specialize in, I thought I would remedy that. The following is an outline to get you started. I’ve written this to help you plan and respond to worst case scenarios, so feel free to scale it down to fit your needs. HOWEVER, do not underestimate the power and importance of communicating, following through and showing remorse and compassion while managing this type of crisis.
4 steps for responding to a data breach or hack
Incorporate the following into your data breach crisis communications plan:
Step 1: Co-mu-ni-cate!!
While your tech team is working on containing and securing the breach, your crisis communications team’s first and most important priority is to communicate directly with your affected stakeholders. This needs to be done as soon as possible. The sooner the better and emphasis on the “directly” part.
Yes, it’s true that, if the breach has the potential of being severe you’ll need to post a message to your corporate website and crisis communications home base, but the first thing on your to-do list is to communicate directly with those who may have been impacted.
Tips for this communication:
- Do not sugar-coat anything.
- Be honest and to the point.
- Show remorse and let your actions and words communicate how deeply you care and are taking the situation seriously.
- Make sure your communications answer all foreseeable questions that you have answers to at this point.
- Clearly communicate how this breach affects those impacted, what they should do to immediately protect themselves and where and when you will provide them with another update.
- Focus on maintaining (and even strengthening) your relationships with these stakeholders.
Remember, they’ve entrusted their information to you and you’ve been hacked. They have every right to be pissed and worried. But if you focus on your relationship and being transparent and empathetic, they may just forgive you. But in order to earn their forgiveness, you need to put them first and prove to them that you care and that you’re taking this breach seriously.
Step 2: Create and publish your official statement
Once you’ve communicated directly with the stakeholders who have been impacted by this breach, it’s time to publish an official statement – especially if you know that this breach is going to create headlines. This means drafting an official statement and publishing it to your crisis communications home base. If it’s a very severe hack, then you’ll also want to make sure you have a mention of the hack and a link to this statement from your website’s homepage (a big banner above the fold often does the trick). Don’t make people go searching for your communications, make it easy for them to find.
Tips for your official statement:
- Tell your story. If the media will be reporting on this, then give them the (true) story to use. This is a good way to make sure you become the narrative of your own crisis.
- Be as honest, transparent and compassionate as you were in your direct communications with your affected stakeholders. Focus on building and strengthening your relationships.
- Clearly state what the repercussions are, what you have done and what you will be doing to manage this crisis and protect those whose confidential information has been breached.
- Answer all foreseeable questions – and come back and update this statement as more questions get answered.
- Title this statement with an intuitive title that will rank well for the keywords people will use to search for more information on this data breach.
Depending on the severity of the breach, you may also want to consider the following:
- To include a video apology from the organization’s CEO or the likes; though it’s important that you only do this if you’re going to get it right. There’s no room for error here.
- Provide a contact for media inquiries.
Step 3: Make sure your social media team is ready
Not only do you want to link to (and maybe pin) your official statement from your social media accounts, but you will need to monitor social media as well. You’d better believe that people will be going to your platforms to:
- Look for information
- Ask questions
- Express their upset and disappointment in your organization for allowing this breach to happen in the first place – whether it’s your fault or not, it will be your fault.
That said, your social media team needs to be armed with:
- Clear messaging for proper response.
- Information on where to send specific inquiries that need to be redirected.
- A response flow chart that will help them answer the tough questions, such as when to respond, when to sit back and monitor and when to escalate a specific case to the crisis team.
Your social media team will also have the task of monitoring social media to identify rumors and speculation and to gauge the overall sentiment for the brand’s reputation.
Step 4: Keep an eye on your online reputation
If the hack has garnered enough attention, then the media and bloggers will be reporting on it. These articles will be indexed in the search engines, which means that you will want to:
- Make sure that your communications are helping to shape the narrative of this crisis in as much of a positive way as possible. Basically what you want is to be recognized for your quick, compassionate and remorseful response – and your brilliant crisis management skills. The only way to get this recognition is to earn it.
- Do what you can to make sure that these ranked articles are not going to overpower your own online presence and rankings (which is something that should actually be strategized before you’re ever faced with a crisis. This requires an online vulnerability audit). If this happens, you’ll be left with an online reputation management mess to clean up later, which can be time consuming and costly without any guarantees.
Do the smart thing and minimize your risk
A data breach crisis is, unfortunately, a very realistic risk; a risk that only continues to increase. Doing what you can to secure your networks from being breached and taking the time to create a crisis communications plan to arm your team with, are the two most strategic things you can do to make sure that, if this risk were to become your reality, that you could manage this crisis like a pro and not let it have a long-term negative impact on your reputation or bottom line.
I’ve provided you with a good outline to get started. Now it’s your turn to get on it. Good luck.
Author of Crisis Ready: Building an Invincible Brand in an Uncertain World, Melissa Agnes is a leading authority on crisis preparedness, reputation management, and brand protection. Agnes is a coveted keynote speaker, commentator, and advisor to some of today’s leading organizations faced with the greatest risks. Learn more about Melissa and her work here.