Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
By MELANIE DOUGHERTY THOMAS, Managing Director, INFORM---
No company wants to find itself managing a crisis, but many organizations find themselves in that mode every day. Recent examples have ranged from massive data breaches and cyberattacks—most notably the Sony® hack - to product recalls and Congressional investigations, to the specter of a deadly Ebola pandemic. How a company handles a crisis and how it communicates with customers, employees, partners, shareholders, regulators and the news media can mean the difference between an unfortunate but contained event and one that leaves years of litigation, punishing fines and a damaged reputation in its wake.
At Inform (InformTheAgency.com), 2014—dubbed by many “the year of the breach”—began with the usual types of clients: start-up companies in need of branding, PR support for occasional litigation matters, new business-line launches, and one or two data breaches and crisis-planning engagements. But, as the year progressed, our data-privacy practice exploded. A deluge of high-profile data breaches and cyberattacks over the previous year has put the practice of crisis communications and crisis management on the front burner for every executive team and board of directors.
The business enterprise, however, was still slow to recognize the increasing likelihood of a data breach or cyberattack event, even with companies like JPMorgan Chase, Staples and Home Depot falling victim.
Then Sony was hit and everything changed. Who could have expected the Sony cyberattack would shine a light on the treacherous waters of corporate security and the lack of crisis preparedness in our companies?
The relentless attack on Sony, in my view, is quite simply corporate terrorism complete with extortion, blackmail and infrastructure destruction. It’s shining a light on a new era in global business where politics, the fight for commerce and ideology are playing out in what some commentators are calling a cybersecurity world war. Whether classified as a cyberwar or simply corporate vandalism, the nature of today’s data breaches and cyberattacks are extremely complex matters that can cripple a company. These are issues that should be followed very closely by every general counsel in this country. In fact, the complex and increasingly litigious nature of the crises hitting corporations are forcing general counsels to act not just as executer of the law, but chief crisis manager.
Today’s general counsel has the unenviable position of having to steer his or her company through increasingly complex matters—the likes of which have never been seen before. When my father, Tom Dougherty, was GC of Metromedia well over 40 years ago, he was charged with, among other things, corporate contracts, licensing, regulatory oversight, mergers and acquisitions, policies and procedures, employee relations and the occasional lack of judgment by an on-air personality. He was a crisis manager to be sure. However, today’s general counsels are faced with an often nameless, certainly faceless, foe in the form of a cyberattacker, the inside threat of a rogue employee or privacy event due to employee or contractor error, in addition to their “usual” duties. And all too often, they are not adequately prepared to face these new threats alone.
When a crisis hits an organization, an employee or supervisor usually contacts the human resources department, who will either manage the situation alone or in partnership with (or oversight by) the general counsel’s office. Data breaches and cyberattacks have challenged this protocol. Very often, someone outside the organization, such as FBI agents, Secret Service special agents, local law enforcement, banking officials or even journalist Brian Krebs, will raise the alert that there has been unusual activity involving payment cards or customer PII (personally identifiable information). IT is then asked to trace the activity. At some point, the IT team lead will usually acknowledge that systems have been breached. A forensics firm is called in to identify where the vulnerabilities lie and begin the investigation into what information, if any, has been exfiltrated from the system. This is the point when a company realizes they are in crisis. All too often, there is no crisis-response plan, and no crisis manager, and chaos abounds. Reporting, notification, internal communications and public relations responses are often mishandled, as was the case with one large retail breach this past year, leading to management dismissals, a plummeting stock price and earnings, terrible press and now multiple class-action lawsuits.
In the case of a very different, albeit equally devastating crisis like the Ebola epidemic at Texas Health Presbyterian Hospital in Dallas, an apparent lack of crisis preparedness drove chaos both within the hospital and throughout the country. Little or no communication seemed to come from hospital management for several days when a statement finally was issued. During an infectious and deadly disease outbreak rapid communication is critical to containing public fear.
It wasn’t until the doctor who led the care of the Liberian victim spoke that I began to feel compassion for the hospital and its medical team. Until that point, the media, which painted the hospital as simply inept and uncompassionate, drove the story. Ultimately, the perception that prevailed was one of a lack of leadership from the hospital management, which gave mixed messages that lacked remorse in the face of a pandemic and patient death.
So what should have been done differently in either of these cases? Everything, beginning with the crisis management.
Good crisis management begins by addressing the following:
1. The crisis team
The crisis team should include both internal and external professionals. The internal professionals should be those who regularly lead critical teams within the organization, and include the CEO, COO, CFO, GC (General Counsel), CPO (Chief Privacy Officer), HR, customer service, marketing lead, corporate communications, investor relations and IT lead. The General Counsel, as fiduciary, must be prepared to act as the internal crisis manager. Let there be no mistake: if a crisis is mishandled, the GC will be the one, along with the outside counsel and PR firm, to deal with the fallout. Therefore, it falls upon the GC to act as the internal crisis manager for the organization. Many organizations will task human resources with leading crisis response. I’ve never understood this decision, as they are neither practitioners of the law, nor are they charged with leading finance, customer service, marketing, or corporate communications—all of the public-facing roles. Junior members of your team may not be the right people to lead crisis response either because they don’t have seniority within your organization and the power to direct other crisis-team members. Therefore, it falls on the GC to be prepared to lead the charge.
Leading in a crisis takes fortitude. You must be prepared to face the crisis head-on and be relentless in your pursuit of the truth, even when the truth is damning. Remember you have a fiduciary responsibility to the company and your role is critical to its survival. Be bold. Ask the tough questions and demand proof from your team. If the crisis is mishandled it will very likely result in litigation and every step, or misstep, in the crisis will be scrutinized.
2. External team
Every crisis is different, and while your internal team should always be the same, your external consulting team will be determined by the nature of the crises you face. To prepare for a data-privacy event, for example, choose professionals from crisis communications, computer forensics, customer notification, credit monitoring and a law firm with a solid cybersecurity and data-privacy practice. Be aware that just because a firm has a large marketing budget and a high-profile brand doesn’t mean they have the most seasoned attorneys for data privacy and cyber matters. The same holds true for public relations firms. Choose wisely.
A crisis-communications professional, working in tandem with a data privacy attorney, should act as your external-crisis-team leads and your partners in the crisis response. The external-team leads can be particularly effective because they are a bridge across disparate groups within your organization. They have distance from the crisis and no history with your employees and their shared employment experience.
3. Crisis preparedness planning
Every organization in business, no matter its size, should have a crisis plan in place. Hire a crisis communications firm that specializes in such practices to help you build a plan for your company, and then have your privacy attorney approve the plan. Please do not assume that your company is either too big, or too small, to experience a crisis like a data breach or cybersecurity attack. Smaller firms are soft targets because they often lack the resources to build extensive security. But no firm is too large or too secure. Consider the breach at JPMorgan Chase. The company invested $250 million in security prior to its October 2014 breach. The company’s CEO, James Dimon, has since committed to doubling that investment to over $500 million and they’re likely still vulnerable. However, don’t be deterred. It’s your duty to build the most thoughtful, thorough plan possible, considering every conceivable crisis scenario and planning for each with detailed, tested messages. But remember, preparation is only half the battle. The best-laid plan can be thwarted if your team fails on the execution of that plan.
4. The crisis plan
It’s worth repeating that when a crisis erupts, your response plan should already be in place and your crisis team should be engaged and prepared through regular rehearsal, like tabletop exercises. The plan should include:
Messaging for a crisis is critical and often determines the outcome above all else. Work with good crisis-communications and data-privacy firms to craft messages that are precise, accurate and protect the company in a court of law, as well as the court of public opinion. Do not rely on your brand PR firm for this engagement. Crises have their own considerations, such as state and federal regulations, national security implications and technology applications, among many other things. Generalists are excellent at handling a wide variety of tasks but the unique nature of crisis response requires special skills, training and experience.
There might be a bit of tension with your communications team over your messaging, but that is to be expected. You’re both concerned, ultimately, with protecting the company. Counsel might be more cautious, while PR has a tendency to want to be more transparent and feel the need to “spin” the story. You can meet in the middle. Messaging should drill down for every conceivable crisis scenario. Take the time necessary to work the nuance. The gray area is where cases are won and lost, and it’s also where public sentiment can be found.
6. Zero-Day plan
This is a plan for when your crisis plan fails, and you’re faced with zero options. An example of this might be a hospital that has been hit with a natural disaster and its basic necessities cannot be met. Another example might be your IT system has been infiltrated by a cyberattacker who has taken control of your system. When your company’s intellectual property or information critical to national security is vulnerable, what do you do? Do you have a backup and are you prepared to take down your own system to prevent the cyberattacker from accessing that information? Be prepared to shut down your company, if need be. Talk with law enforcement immediately if you feel such a scenario might be imminent; they can provide valuable insight, guidance and expertise in a cyber event.
It must be noted that your internal team is typically not prepared or capable to handle a crisis alone. Too often an organization believes they can handle a crisis because they feel capable at their various stewardships and/or they think they know the needs of their company better than an outside consultant. They are likely very good at their jobs, but the problem here is two-fold:
(1) Generalists are just that—generalists—they have neither the training nor the time to be adept at crisis response
(2) Employees are too close to the situation to make sound judgments during a time of crisis.
The scenarios I’ve presented, once seemingly the fodder for movies, are now real-world situations companies are facing every day. It’s not enough for the General Counsel to expect IT to handle technology issues alone or your insurance policy to cover your losses. Today’s crises demand that someone in leadership truly leads. I believe the GC is the best prepared and positioned to do so, but remember you shouldn’t go it alone. Hire solid support from outside law and crisis-communications firms and be prepared to pull back the kimono and share both the information and the responsibility. We can only be as good as our partners inside the company will allow us to be. And keep in mind that we can’t perform miracles. Require the entire business enterprise to become knowledgeable about and responsible for today’s crises; they’re no longer just material for Hollywood movies.
About the author
Melanie Dougherty Thomas
CEO & Managing Director
Melanie has over 25 years of experience in marketing and communications, beginning at just 17 years old when she worked for the Washington, D.C. affiliate of NBC News. She continued to work in network news for organizations like CNN, NewsLink, Conus, and Fox while earning her BA in journalism from George Washington University. In 1996, Melanie transitioned to the public relations field, representing clients in technology, health care, finance, homeland security, defense, cybersecurity, data privacy, consumer markets, public affairs, foreign governments and finance, in both an in-house and firm capacity. Her experience transcends traditional communications, with expertise in strategy, media relations, crisis communications and integrating new media tools to leverage exposure for her clients. She has built in-house communications departments for start-ups, led corporate communications teams for multinational companies, worked for global public relations firms, and served as a consultant across multiple organizations successfully integrating disparate communications needs. Melanie started Capitol Communications (now Inform) over a decade ago to meet the growing need for highly specialized public relations talent in Washington, D.C. The firm now has nearly a dozen communications veterans, each with over 20 years’ experience, in Washington D.C., New York and California. In addition to leading her firm, Melanie spends a considerable amount of time speaking and blogging about crisis communications and branding. She can be reached at: firstname.lastname@example.org.