Let’s face it: PR, and it’s fancier sibling, crisis communications, is the red-headed stepchild of the data breach family. Everyone accepts that you need a seasoned breach coach to help navigate the maze of state-specific disclosure laws and avoid third-party litigation, and we can all agree that a sophisticated forensics shop is key to stopping the bleeding and assessing the damage. But then what? It seems like more often than not, a breach victim’s response to an attack is limited to a very delayed and often-canned press release that leaves customers and employees with more questions than answers. I talked to Zach Olsen, President of Infinite Global and head of the firm’s Crisis Response & Reputation Management Group about where he sees an opportunity for reducing the costs and reputational harm of a breach.
Organizations must take advantage of the knowledge, experience and expertise of the community of professionals who respond to these incidents for a living and leverage that experience to help them prepare for the inevitable.
So what’s the problem?
Primarily, what I’m seeing is organizations hiding from the reality that they could be the next victim of a breach. Or worse, the organization thinks that if a crisis occurs, they can wing-it. The net result of that head-in-the-sand mentality is that companies are being caught flat footed when a crisis hits and they are forced to make it all up as they go along. It would be one thing if we were talking about an organization comprised of lawyers, forensics investigators and professional communicators, but we’re not. These are retailers, pharma companies, banks and the like. They are often amazing and brilliant people but they are simply not prepared to deal with a crisis like a breach.
I hear what you’re saying. So what’s the solution?
It’s simple but it’s not easy. Organizations must take advantage of the knowledge, experience and expertise of the community of professionals who respond to these incidents for a living and leverage that experience to help them prepare for the inevitable. And to a great extent those practices are becoming more commonplace; vulnerability assessments, table tops, pen testing and the like are happening but there is still a cavernous gap between what is being done on the legal and forensics side and what is being done on the communications and reputational harm side. I’d argue that the main difference between a Target and a Home Depot is the speed, accuracy and consistency of the communications response. Even though Home Depot’s breach was larger by some 15 million credit cards stolen, the company’s shares went up in the aftermath of the breach while Target shares dropped nearly 20%, not counting further drops from a 46% earnings loss the following quarter. While Target has rebounded in the recent bull market, the immediate after effects – and possibly long-term prospects – from a breach are clear.
What I’m hearing is that a lot of organizations don’t know how or where to start. What does good crisis comms prep look like?
Know Thy Self. Who are we as an organization, who are our customers, clients, donors, investors, employees, vendors etc. Until we know who the audiences are we’ll have no way to know what they care about and how to communicate with them. More so, understanding the varying concerns of different audiences, whether investors or families, is crucial to providing the direct messaging necessary to address all audiences. Corporations often severely underestimate the mind-blowing speed and devastating impacts of social media firestorms. Agile communications, and the planning that enables that agility, allow a corporation to become a part of the conversation instead of a target.
This gets into speed. A well-organized plan integrates and automates processes so that when a crisis does hit, an organization is not stuck in the mud from the stress of the situation. It is essential to take action and quickly disseminate information even if it’s only admitting there’s a problem to be investigated. Automating this beforehand, by implementing an incident response team, drafting relevant and adaptable statements for all mediums, becoming aware of notification policies, and forming relationships with external vendors will make a crisis a series of executable steps. Establishing relationships beforehand is more than just for ease: contracting outside communications, legal and forensics consultants during a crisis, as opposed to months before, can cost up to four times more, and often you’re stuck with whatever you can find on short notice.
Lastly, a crisis plan must be practiced. A piece of paper outlining responsibilities is not the same as sitting down and running a tabletop session or practicing a drill. What happens if the CEO or CTO is on a plane when a crisis hits? You do not have the luxury of pausing a breach. Therefore, it is vital to be malleable and highlight various ways to reach the end goal.
All of this planning will take time, effort and money. But, like any investment, the benefit if and when such an incident occurs is crystal clear.
It sounds like organizations are essentially writing an insurance policy for their reputations. Is that accurate?
Exactly. Corporations have insurance for every conceivable area of business and accept without questions that it is best to mitigate those risks to outside professionals. Nevertheless, they often skimp on one of their most important assets: their reputation. Why take the risk?
While ‘reputational insurance’ is still in its infancy, there are moves being made to make it more accessible and worthwhile. According to a recent ‘Cost of Data Breach’ study, an incident response team, business continuity management involvement, and employee training all are factors that contribute to a decrease in breach costs. With an average breach cost of $141 per record lost having an incident response team alone can lower the cost of a breach by $19 per record. As a final point, breaches that are resolved more quickly – i.e. those planned for and executed properly – cost an average of $1.17 million less than breaches that take more than a month to contain.
In summary, during the throes of a crisis, executing an efficient and effective reputation management campaign, alongside the stresses of the host of other issues a data breach brings, places considerable stress on the unprepared, leading to miscommunication, slow responses, and, inevitably, a damaged reputation. And yet, few prepare. We’re hoping that time, repetition and the buy-in of others will slowly change that and more organizations will decide to make the investment in protecting their reputations.
Special Thanks to Zach Olsen from Infinite Global for his insight on crisis communication.