Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
Proper Communication is Key to Maintaining Reputation After a Cyber Breach
No matter how careful your company is with its computer systems, no matter how many safeguards may be in place, statistics show that it still may be a victim of a cyber attack. Once that attack occurs, however, how you communicate the details of what happened and how you’re working to resolve it is crucial in preserving your company’s reputation.
Jennifer Smith, Senior Client Advisor and Vice President of Technology at the Lockton Companies, speaking at a recent conference entitled “NetDiligence® Cyber Risk & Privacy Liability Forum,” said that it is crucial to have a detailed plan in place before a cyber attack happens.
“Who is your law firm? Who is your PR firm or your forensics firm? Those are all things that need to be addressed early with your management team,” said Smith.
“Many of my clients think they are the expert on their own, internal IT systems—and they may be—but in the event of a crisis, if you need to retain a third party expert, you need to have that expert in place earlier rather than later … if you don’t have your experts identified you may run the risk of destroying the attorney-client privilege and work product,” said Smith.
Karen Doyne, head of the Crisis Practice at Burson-Marsteller, and based in the large Public Relations firm’s Washington, D.C. office, said “often the difference between a data breach incident and a data breach crisis is the nature and effectiveness of the company’s public response, including the media and those who were affected directly by the breach.”
“The public doesn’t expect perfection from companies. They do expect integrity. So the question becomes, are you meeting peoples’ expectations and are you doing the right thing—and that’s what it’s all about,” she said.
She said that companies often have difficulty in meeting the public’s expectation of transparency because it often takes a while for the company to find out exactly what happened and to what extent, once a breach occurs. As a result, companies make a mistake in waiting to communicate until all the facts are in.
“Companies tend to want to—for very good reason—wait to say anything until they’re really sure exactly what is happening. And they want to make sure they don’t say something that doesn’t turn out to be incorrect later, which is an absolutely understandable impulse. But the problem, particularly in a large breach involving personally identifiable information (PII), is that the public and the media may not let you get away with that. People will expect you to, within a reasonable amount of time … communicate that at least something has happened. That is going to be extremely important,” said Doyne.
At the same time, she said, another common mistake is “relying on the accuracy of the facts as they come in,” she said. Often initial assumptions turn out to be incorrect.
“You don’t want to set false expectations about the breach by taking as gospel what you think is true when it first happens. You have to put caveats around that language to clarify that facts are still being gathered and clarified,” she said.
A third mistake is when a company whose service has been disrupted publicly commits to a timeline for service restoration based on early facts or assessments. Investigations and fixes often take longer than expected.
She said, however that companies can effectively manage a data breach by putting themselves “in the shoes of the people whose data may be affected by this breach. It’s their expectations that you need to understand and that you need to fulfill.”
She also recommended that companies offer assistance such as credit tracking to those who are affected and that they ensure the assistance matches up to the industry standard.
“Doing any less than that is going to tick someone off. And everyone who’s ticked off is a potential headline,” she said.
She also recommends that companies make it clear that their customers are their first priority and that they are doing all they can to handle the situation.
The message should be: “We know that we have to re-earn your trust every day. We hate that this happened but we are aggressively dealing with it. Here’s what we know, or what we think we know, here’s what we don’t know yet, and here’s what we’re doing to find out what we don’t know. And importantly, here’s what those who are concerned in the meantime should do,” said Doyne.
She also pointed out that it’s a good idea to inform customers when law enforcement is involved.
“It reminds people that this is a crime—and one that has become an epidemic. A crime has been committed against the company. It is a way of highlighting the fact that the company and its customers are in fact the victims,” said Doyne.
Disclaimer: The views and opinions expressed in this article are those of the individual sources referenced and do not reflect the views, opinions or policies of the organizations the sources represent.