Given the number of high profile cyber security breaches that unfolded in 2014, we reviewed how some affected companies handled the communications around their respective crises. The purpose was to spot common measures that worked well. If a company gets hacked, there are measures that can be implemented to minimize the damaging aftermath. How well they handle the communications of a breach will influence ultimately how a company will be judged by the public and portrayed by the media.
Let's face it, it’s open season for all companies to get hacked. In today’s world, every company is fair game: large or small, regardless of industry or type of operation (online or brick-and-mortar). This is especially true for companies dealing with payments, credit card or consumer information.
Cyber criminals have honed their skills at breaking into organizations previously thought untouchable. Since 2013, cyber thieves have upped their game, hacking into eBay, Target, Home Depot, Michaels, Sony, and JP Morgan, just to name a few. The U.S. Central Command’s social media accounts were even hacked at the first of this year. What’s clear is that today’s hackers have reached a new level of warfare and are employing new tricks they learn with dizzying speed, from commjacking to a wave of malicious browser extensions and plug-ins. 2015 promises an even greater number of high profile breaches. Take for example yesterday’s cyber hack of more than 4 million U.S. Federal workers’ data.
Detection of a breach typically triggers a discovery period followed by an internal investigation to ensure the vulnerability is stopped from allowing further damage. From there, companies then decide how they are going to publicly communicate the damage caused. Here’s 5 important tips to consider.
1. Time-is-of-the-essence Proactively communicating to the public information about the breach is imperative. Customers or employees need to know how their personal or financial information may have been compromised as early as possible, so that they can take matters into their own hands as well. This information disclosuer also give the company a first-hand opportunity to control the facts, helping to minimize misinformation or fact distortion. Misinformation can potentially harm the company's reputation more than is necessary, so this is extremely important.
Frequently, companies often find out that they have been hacked post-facto from third parties, like the FBI, investigative reporters, partners or customers all the more reason that they should react fast. Target, Apple, JP Morgan, Michaels and other big name companies, whose data each got compromised, made public announcements within one week or less after they identified details of their respective breaches.
It’s critical to communicate sensitive news to customers as soon as possible – not after news is made public. That's what happened to Home Depot. On September 2nd, 2014 the retailer publicly admitted a breach had occurred. However, it two weeks pass before it then emailed customers to inform them for the first time about the breach. Ironically, Home Depot was actually planning to communicate to its customers some positive news in that there was no evidence that customers’ debit PIN numbers were compromised. Instead of being perceived positively, Home Depot’s email communication left many customers irate.
The lesson learned here is that some level of timely communication is always better than none. Additionally, it’s important to inform your customers or employees of the breach before making the news public information to the rest of the world. By taking control of the information and specific details around a breach, a company can eliminate room for misinformation or speculation. Otherwise, if a company tries to hide the breach for as long as possible, once the breach becomes public, as they always do, your company will have lost its trust and credibility in the form of stock price drops and lost market value.
2. Get the facts right Communicating accurate data is even more crucial than taking the lead in public dialogue about the breach. For example, luxury retailer Neiman Marcus got hacked during the timeframe of July through October 2013, yet the company didn’t discover the breach until January 2014. Cyber security blogger Krebs on Security found out about Neiman Marcus’ hack and requested comments from the company. The retailer had to react quickly and publicly admit that "about 1.1 million cards could have been potentially visible to the malware." One month later after completing its investigation, the company lowered the estimate of cards actually comprised to 350,000. While the first public announcement provided just an approximate number of potentially exposed accounts, it allowed the retailer to later downsize this number once it completed its internal investigation. Ensuing headlines such as “Neiman Marcus downsizes the number of cards compromised” were actually perceived by the public in a more positive light.
A somewhat similar story happened to a transaction processing company Global Payments. News about a major breach in Visa and MasterCard broke on a Friday morning, March 30, 2012. There was no information about which credit card transactions provider had been hacked just some “sources in the financial sector” suggesting the breach may have involved more than 10 million credit cards. Hours later Global Payments confirmed the breach without specifying how many credit cards were affected.
Two days after the story broke, Global Payments announced that the number of potential stolen cards was only 1.5 million compared to the 10 million that the media had initially reported. Thus, by taking some time to investigate the hack, Global Payments was able to downgrade the level of the breach. The company got a chance to communicate and clarify some positive findings that “names, addresses and social security numbers were not obtained by the criminals.” As a result, the company’s handling of its crisis was handled well given the circumstances.
3. The CEO drives the conversation Assigning one person within the team to be responsible for handling all media communications pertaining to the breach makes the communications consistent and timely. Generally, breaches have broad implications around privacy and sensitivity, so it’s sometimes ideal for the CEO to take the lead and be the face and voice of the company spokesperson who talks to the public. Target’s former CEO, Gregg Steinhafel, handled the aftermath of the breach rather well. He proactively disclosed to customers investigative findings as each new finding surfaced and went on to implement successful measures to begin a long road to rebuilding the company's reputation.
4. Launch responsive, multi-channel communications It’s important to reach out to customers directly using all possible channels - email, phone, snail mail, traditional and social media (i.e., YouTube), as well as prompt responses to answer customer questions and address their concerns. It’s also a good idea to proactively maintain regular email communication with customers and constituents to keep them informed as the investigation proceedings unfold. If company communications sound genuinely apologetic, customers are more likely to stay satisfied with the way the company is resolving the breach.
Companies that are hacked should strive to keep their customers informed in a timely manner even as the incident becomes fully contained and the malware doesn’t present a threat to customers anymore. Regaining customers’ confidence is essential, so they can begin to feel safe buying from the company again.
5. At your service Different instruments can help arm customers with helpful knowledge about what additional measures they may need to take. Here’s some additional customer communication tools worthy of consideration.
- Target Corporation created a comprehensive FAQ that answered customers’ most important questions, enabling them to determine whether or not they were affected and if so, what the risks were. As a result, public and media got the impression that Target was doing everything possible to protect customers from further negative consequences.
- Giving customers as much information as possible about potential risks helps to earn back and nurture customers’ loyalty. For example, Target, Home Depot, Michaels as well as some other companies published on their respective websites lists of stores that were affected during particular periods of time, so that customers could self-identify if they were at risk or not.
- Target, Michaels and other retailers also established customer hotlines, some that were 24-hour, specifically for handling customer inquiries related to the breach, so that people could call in to get immediate answers, helping to alleviate their concerns.
- Prepare and publish key security measures that customers can take to further protect their personal information after a breach.
- Companies should consider creating a YouTube video with the CEO discussing the breach with customers. The video can serve to provide more guidance on what customers should do to protect themselves and what new safeguards the company is undertaking.
- Target, Home Depot, Michaels and others offered a range of free services to help their customers who might have been affected, such as identity protection, credit monitoring and fraud assistance.
A data breach can and should be managed in a way that can help redirect media coverage from negative to neutral. It’s also important that the company considers some of the hard lessons learned by other businesses that were hacked. What’s certain is that stakeholders and the media need to be given enough evidence that the company is reacting swiftly to do everything possible to eliminate the aftermath. The company also needs to demonstrate that it is proactively communicating in a transparent way to its customers and employees. Finally, it needs to increase its investments around security so that its systems are as strong as possible and can keep up with new ways that cyber criminals are testing to find or create new weak links to exploit.