In the wake of a major Facebook data breach, it is important for companies, regardless of the industry your business is based in, to understand best practices for handling a data breach. The actions that occur directly following a breach will impact the brand, reliability and customer trust.
For a company whose brand and reliability among customers depends on the security of private data, it's hard to imagine a nightmare worse than a major data breach. Facebook is the latest to deal with such a crisis in an especially public way: The social media company recently confirmed that 30 million user accounts were hit by a data breach in September. Even worse, the company also announced that hackers pulled personal information on almost half of those breached.
It's hardly a problem limited to companies centrally in the public eye like Facebook. According to the Data Breach Index managed by Gemalto, over 14.5 billion data records have been lost or stolen since 2013. Today, nearly 7 million records are compromised daily, Gemalto adds.
For companies that hold consumer data, it's safest to consider this a matter of not if, but when it could happen to you and to start to strategize the proper response. When leadership plans for a cybersecurity threat, communication must also receive planning and attention. This communication work should not be seen as taking away valuable time and resources, but, instead, be regarded as a key piece of proper preparation and should be communicated to leadership so they can allocate the necessary resources to this strategy.
As a public relations pro, consultant, author, and speaker who specializes in branding and communication (in addition to being a professor of communication at Maryville University), I've witnessed many companies bungle the communications side of this type of crisis while focusing exclusively on the cyber fixes. Don't let that happen to you. Take these four steps in the event your company's information (and that of your customers or clients) is breached.
1. Report the facts quickly.
First and foremost, make sure you are transparent about the number of users affected. Some organizations make a risky gamble by releasing a number much lower than the truth, which inevitably results in a double blow – a crisis situation when the numbers are first reported, and yet again when the truth comes out.
Second, while it's true that "communicate quickly" is a piece of advice from crisis communication 101, keep in mind that during a data breach, you'll face a more complicated set of issues. For example, you'll need to work with law enforcement prior to public communication. That said, during this waiting period, be aware of every last company action. Limit extravagant bonuses and other moves that could be called into question when you speak about the breach.
2. Get comfortable with uncertainty.
Unlike other crises that an organization may face, you may not know exactly how far-reaching the breach really is for an uncomfortably long time. Although you must communicate as quickly as possible, remain humble in your apologies, honest about what needs to happen to get the full picture of the problem, and focus on your commitment to protecting past, current, and future customers and stakeholders.
3. Bring in a third-party investigator to help.
Don't mince costs on this measure. Let your stakeholders know that you've hired the best cybersecurity investigators to discover the breadth of the breach and fix this and any other weaknesses that pose risks for the future.
4. Offer concrete help – with no hidden agenda.
Equifax offered one free year of credit monitoring to customers when the company suffered a breach. Accepting the free year meant customers gave up any possibility of suing Equifax for the incident, which was stated in very small print. In the end, the move may not have helped Equifax's case. Focus on helping and doing the right thing, even if it means spending money.
If you maintain open lines of communication, take steps to offer help and protection, and focus on the customer before the bottom line, your various stakeholders will notice.
We all know and accept the fact that these days, our online lives are subject to hackers. While we hope companies are doing everything they can to protect us, many companies will experience some level of breach at one point or another.
What will truly make or break consumer trust and loyalty is how a company handles and rectifies these situations once they occur and what protections they put in place to prevent it from happening again.