“Am I impacted” and other questions: Data Breach Communications

Photo by Philipp Katzenberger on Unsplash

Data security crises and privacy breaches have become a matter of when not if. According to Edelman’s Connected Crisis — 2021 Canada Study, 1 in 3 Canadian executives have faced cybersecurity issues in the past 3 years while 78% say their company is likely to face a cybersecurity issue over the next 3 years. Despite this, only 43% of executives admit they are well prepared to manage a cybersecurity crisis. It is in the weeks, months, and years following a data breach, that organizations realize how they handled the incident often becomes part of their public-facing brand. It’s also not a cheap crisis to find yourself wrapped up in.

The cost associated with managing ransom payments, legal fees, insurance, and vendor contracting can add up to one heavy check. According to IBM’s annual Cost of a Data Breach report, in the span of one year ending April 2020, the average cost of a mega-sized data breach was US$3.86 million. In terms of highest average cost for data breaches per country, Canada came in third after the U.S. and the Middle East, with US$4.5 million.

The costs that are more difficult to quantify are those associated with reputation management, brand repositioning and trust rebuilding — from time spent on convincing prospective business partners you’re a secure organization to work with, to courting future employees, clients, customers. Panicky fixes to a negative public perception can become a deep money pit.

Context is in the numbers

According to a 2021 CompariTech study,

• After 110 market days following a breach, share prices fell -3.5% on average and underperformed the NASDAQ by -3.5%.
• In the 6 months leading up to a breach, average share price grew +2.6%, compared to -3.0% following a breach.
• After 1 year, share price fell -8.6% on average, and underperformed the NASDAQ by -8.6%.
• After 2 years, average share price fell -11.3%, and underperformed the NASDAQ by -11.9%.
• After 3 years, average share price was down by -15.6% and down against the NASDAQ by -15.6%.

Interestingly, breaches leaking highly sensitive information (e.g. credit card and social security numbers) saw more immediate drops in average share price performance than companies that leak less sensitive information, but in the long term they do not necessarily suffer more. This does provide insight that regardless of its nature and scale — a data breach will have long-lasting impacts on the organization. Relying on the impact of data breaches diminishing over time is a risky and lengthy strategy, hence the need for an increased need of decisive strategic action.

Integrated communications — the why

It is becoming more common for people to learn about an organization or company for the first time through the news discussing a “cybersecurity incident” impacting said organization. Learning about any brand for the first time from a perspective of trouble, chaos, poor management of a crisis can be irreversible for the subject’s reputation.

When an organization is dealing with IT difficulties in particular, the story to surface on social media and then appear in news outlets is one often holding a tone of suspicion around the organization’s leadership competency or perhaps anticipation of a mass scandal. This, rather than compassion for those impacted and true understanding of how data breaches occur in the first place. When things are on fire, few care to hear how much you value their privacy and security, just as few care to hear your apology when their personally identifiable information (PII) is at risk of being misused.

To protect reputation, it is crucial for those responding to a breach to control the narrative and be prepared to respond with solutions-oriented messaging backed by demonstration of expertise and competence. It’s times like these that an integrated communications/response plan with a focus on remaining calm, united, and consistent is crucial — it will solve half the battle.

Integrated communications — the how

If you’re within the leadership circles of your organization, chances are you will not be learning of a cyber incident impacting your systems from the media. Ideally, your own employees and those impacted by the incident shouldn’t learn about the breach from a local newspaper either, but leaks happen. There should be no excuse for why an organization is unprepared to answer questions from stakeholders, clients, customers, various business partners and journalists when they come.

Having your key contacts like legal, insurance, forensics, and communication experts on-tap will establish integration points for a smooth implementation and little to no delay in response. They are the ones who will help you understand what is happening, what the necessary next steps are, what your legal obligations hold, how the issue occurred in the first place and how to prevent it from happening again. This, while decoding the often-intimidating technical language and ensuring a calmer, trusting and patient response.

While many organizations have experienced similar cybersecurity incidents, all contain unique-to-them factors impacting their strategic approach, therefore showcasing the need for a customized strategy.

5 tips for surviving a hack

• Assess the risks your organization faces and prepare a response and recovery plan that specifically addresses cybersecurity incidents.
• It’s important to confirm your insurance policy details and see if the insurance provide has access to a panel of experts within the cybersecurity space. Often your on-hand law firm will also have connections within the cybersecurity industry to which you can reach out for support. Regardless, do your research when building out your external response team in advance and ensure that those vetted and coming to help are experts in their fields.
• Cooperate with digital forensics as they work through the process of identifying, preserving, analyzing, and documenting digital evidence following a data breach. It’s important for this portion to be understood thoroughly by your organization’s leadership as they will need to be able to answer to their employees, clients, and stakeholders, sometimes on short notice and often very delicately while the investigation is ongoing.
• Rely on experts (both legal and communications), who have been in the trenches for years, to identify what you need to disclose from a legal perspective and how to disclose that information in a way that minimizes reputational damage, builds confidence, and earns trust.
• Work with cybersecurity communications experts to help translate any technical language presented. They will also be the ones to know when to push reactive vs proactive messaging, have that messaging carefully crafted, and assist with breach notification, should it be required.

Remember, although a data breach can be disastrous to an organization’s reputation, and the possibility of becoming the next big headline continues to loom, a well-managed crisis is a great opportunity to earn and build public trust in your organization. Strong and strategic communication is key to not only protect and recover your brand, but also further build and evolve it. It will directly reflect on your ability to handle implementing better security measures moving forward, as well as any further privacy-related concerns in the future, as no organization is immune to those in today’s world.