Public Relations in Face of a Data Breach: Risk and Preparation

Posted by Mark Greisiger

A Q&A with Robert McEwen of McEwen & McMahon
Among the multitude of risks posed by data insecurity is a company’s reputation. In the past, ineffective communications about a data breach often has led to greater financial loss for victimized companies, such as when customers speak publicly about their negative experiences and damage brand equity), or when victims feel their concerns are not being taken seriously and seek recourse through legal action. So how can organizations prepare to communicate effectively in case sensitive information ever is compromised? We spoke with Robert McEwen of McEwen & McMahon to find out.

Why should clients care about PR as it relates to data breach/privacy violations?
Data breaches can erode trust in a company and damage its reputation. What wise business leaders have come to understand is that reputation has quantitative value. It is just as tangible as inventory, receivables, real estate or any other asset on the corporate balance sheet. Year-over-year analyses of Fortune magazine’s annual ranking of “Most Admired Companies” illustrate the indisputable cause-and-effect relationship between reputation and market capitalization. Moving up or down a single notch in a company’s industry sector rankings on average translates into a gain or loss of more than $100 million in shareholder value. It’s only common sense to take every precaution to protect and defend such a precious asset by investing in strategic communications counsel.

How can clients prepare to better manage their brand and mitigate future liability following a data breach event?
Data breaches are an unfortunate fact of life in a digital society. They are as ubiquitous as fires. The question is not whether they will happen, but when. Never, therefore, has the old adage “an ounce of prevention’s worth a pound of cure” held more true than when managing network security. It is far more economical to monitor, identify and deal with potential security issues in advance than to ignore them until some triggering event thrusts an issue before the klieg lights of the media. That’s when a company finds itself in the docket of the court of public opinion, where the jury most often presumes guilt, not innocence, and the trial is almost always a costly one. Such messes often can be avoided if only business leaders would make relatively small investments in crisis preparedness plans and rehearse them regularly.

Every manager with data breach response authority ought to have the crisis management plan filed and posted as an icon on his or her desktop. The plan should include specific scenarios for a variety of different occurrences—whether caused by a stolen laptop, a technology glitch, or a malicious hacker. Such pre-planning enables companies to deal with the situation more effectively than scrambling frenetically at the last minute.

In my experience, most stakeholders understand that data breaches are inevitable to an extent and they will be relatively forgiving if a company handles such an incident efficiently and straightforwardly. If, however, they perceive anything less than full transparency, then stakeholders can be ruthlessly unforgiving. That’s where the rubber meets the road and companies can suffer a significant bottom-line impact.

How much can PR services cost for a large/medium/small business?
The best way of estimating the cost of preparing for or responding to a data breach is to use the PR Cost Calculator that McEwen McMahon and NetDiligence developed for the eRisk Hub.

Generally speaking, the kinds of variables that impact PR costs mostly have to do with the size and scope of the breach, and the company’s degree of readiness to deal with it. How many stakeholder audiences are affected and how large are they? How sensitive is the information that’s been compromised? (Credit card data? Social security numbers? Private health information?) Does the company have internal PR capability? Is there a crisis communications plan? How up-to-date is the plan? Have employees rehearsed it?

Depending on the answers to these questions, PR costs can range from tens of thousands to hundreds of thousands of dollars. But far more important than the immediate cost of retaining outside PR counsel is the potential cost to a company’s reputation. Millions of dollars in brand equity that has taken decades to build can be wiped out instantaneously if a company’s response to a data breach is — or is perceived to be — inadequate.

In conclusion …
What most impressed me about Robert McEwen when I met him a year or so ago, was that he was talking about the value of PR. He recalled the Tylenol case (of 1982), and how that was a classic example of excellent media management and customer communication, while the BP oil spill in the Gulf showcased the opposite. Bob felt there are strong similarities to properly handling a massive data breach event. I think he is spot-on, especially if you look at some of the largest publicly reported data breach incidents and how they were handled in the public forum. There is a strong argument for having a professional PR team in place to significantly help mitigate the risk exposures facing many businesses when the inevitable data breach or leak occurs