According to Breach Level Index, 2017 was a record year for data breaches with more than 2.6 billion data records compromised and nearly three-quarters of breaches originating from ‘malicious outsiders.’ Data breach incidents by companies operating globally across multiple industries, from retail and financial to healthcare and educational institutions, have impacted nearly every American household, concurrently compromising the affected company’s market position and shaking consumer confidence.
The outcome of a data breach event can vary materially based on a number of factors. Breaches in the retail and financial industries have resulted in the loss of customers, the decline in stock values, and even class action lawsuits, while some healthcare organizations have been forced into bankruptcy following breaches that exposed patients’ private health information.
While a breach itself may cause significant damage to any brand, a company’s response plays a most critical role in protecting corporate reputation and, ultimately, restoring consumer confidence. Despite emerging global regulations outlining specific response requirements and reporting timelines, companies must consider how their breach response plans account for – and position at the forefront – strategic stakeholder communication.
The 24-hour news cycle and real-time access to information can elevate a data breach event to broad consumer awareness in hours. Company visibility and engagement with its internal and external audiences in the wake of a data breach is paramount to easing immediate concerns and conveying a long-term commitment to breach remediation. From incident response planning through the completion of consumer remediation, companies responding to data breach can protect their brands and reputation by remaining visible and strategically communicating with stakeholders through every stage of response.
Incident response planning
Proactive incident response planning underpins a company’s ability to respond quickly and effectively to breach situations. Comprehensive plans can help preserve corporate reputation specifically by accounting for and outlining stakeholder communications objectives and tactics, ensuring the right communications are delivered at the right time throughout the response cycle.
Breach response teams, inclusive of representatives from all company departments, particularly executives, in-house communications professionals, and third-party data breach providers, should be identified in advance and trained on response protocols prior to crisis situations. Response teams should allocate time and resources to conduct annual mock data breach exercises to ensure processes are current and adequately address all potential contingencies.
Finally, a detailed record of all response plans, planning activities, and mock exercises should be recorded and provided to clients as evidence of a company’s commitment to data protection.
Communications Best Practices
Prepare and maintain a list of company stakeholders and contact information to facilitate rapid response and real-time communication in the event of a breach. The list should include employees, customers, regulatory bodies and enforcement agencies, and industry news media. Delegate a response team member to update this list quarterly.
Develop draft response communications and alerts tailored for specific parties in advance to reduce approval timelines following a breach. Draft responses should outline only that information that is known to be true at the time of release and is relevant to the recipient.
Anticipate and prepare frequently asked questions (FAQs) and resources for stakeholders that can be easily updated with breach-specific information and deployed in near-real time following a breach.
Identify company spokespersons to leverage for media inquiries and other public statements, and conduct professional media training in advance so they are prepared to deliver sufficient detail without compromising the integrity of the response.
When a data breach occurs, the affected parties must be notified within a timeframe that
satisfies state, federal, and industry regulations while also taking into consideration the impact that notification will have on both the brand and its consumers. Ideally, consumers will learn of the data breach directly from the company, allowing it to maintain control of the messaging and details, and outline remediation plans at the outset.
Together with the data breach provider, company leadership should assess an appropriate level of visibility, recognizing that in many cases, a company’s visibility following a crisis event may lead to increased brand favorability. Too often, companies avoid associating themselves with a breach response, when in reality, remaining connected to the breach resolution is paramount to preserving corporate reputation. Executives should be prepared to express regret without liability in initial internal and external communications following a data breach.
When notifying consumers of a breach, companies will want to leverage all available communications vehicles to maximize reach, including U.S. and electronic mail, earned media, and social media. Notification documents should be crafted with careful consideration paid to demographic, socioeconomic, and geographic factors to ensure key messages resonate with a broad audience. It is also important to consider small details, such as how email subject lines impact open-rates, and whether notification terminology may flag messages as spam.
Communications Best Practices
Control the flow of response information through a steady stream of company-issued statements, but be accessible to news media as much as possible. Whenever possible, prepare responses to inquiries – however brief – rather than responding without comment.
Draft notification documents in plain language, including key information such as when and how the breach occurred, what information was compromised, what actions have been taken to repair the breach, and what next steps the company is taking to rectify the situation. Ask response team members from multiple departments to weigh in for accuracy, legality, and readability.
Conduct subject line testing on the first five percent of email notifications to gauge open rates, sending the remaining email notifications with the subject line that resulted in the highest open-rate percentage during testing.
Incorporate company branding, brand voice, and tone into all consumer notification documents as well as paid, earned, and social media notifications to maintain consistency and keep the brand aligned with data breach resolution.
Contact center deployment + Consumer resources
Following any data breach notification, consumers inevitably will have questions and concerns, and a company’s ability to respond quickly, accurately, and empathetically is critical to protecting its reputation. A well-designed, consumer-facing website and dedicated contact center are two important tools that enable a positive consumer experience in an otherwise difficult situation.
Timed closely with consumer notification should be the deployment of a secure, user-friendly, and ADA-accessible website outlining the details of the breach, responding to anticipated questions, and directing visitors to additional sources of information, such as a contact center hotline. Likewise, contact centers partners should be engaged in advanced and prepared to launch breach response programs in as little as 48 hours to ensure stakeholders have access to the resources they need. Whenever possible, these resources should be detailed in the consumer notification documents.
Importantly, positive brand representation is critical in this stage of the breach response, where consumers experience their first direct, personal engagement with the company affected by the breach. It is imperative that breach response teams take a hands-on approach to the development of these communications resources to ensure they are a positive representation of the company brand.
Communications Best Practices
When schedules allow, breach response teams should work with contact center leadership and web developers in the design of call center scripts, FAQs, and web content to confirm these external communications align with the brand, accurately communicate its position, and positively represent its values. For some companies, a template call center script will sound disingenuous for existing customers who are accustomed to a particular brand voice.
Working with the call center management team, determine the response team’s level of involvement within the quality assurance processes. There may be opportunities to remotely monitor calls for quality and accuracy, allowing the company to identify any communications gaps and make real-time corrections.
Websites need not be overly complex to convey necessary information. In fact, simple language in an easy-to-read format will garner respect and appreciation by consumers who may be confused or otherwise concerned. Again, take care to ensure websites are accessible to visitors who speak multiple languages and have varying educational backgrounds.
Data breach remediation – often in the form of credit monitoring or identity theft restoration – is a key component of data breach response, whether voluntarily initiated or court-ordered in the event of a class action lawsuit. Oftentimes, the affected company can protect itself from further reputational damage by being transparent about what it means to accept remediation. For example, in some cases, accepting remediation may eliminate a consumer’s ability to participate in a class action lawsuit or take other future action, a fact that should be clearly communicated during remediation.
Data breach response teams play a critical role in the communication of remediation offerings to consumers. Too often, the terms and conditions of remediation are misrepresented on the consumer website or otherwise poorly communicated to stakeholders. Despite the benefit of proposed remediation to consumers, this alone can call into question the efficacy of remediation and the brand’s reputation, further challenging consumer loyalty.
Once again, a participative approach between remediation provider and the data breach response team is necessary. Company logos, consistency of brand voice and tone, and the use of genuine communication will ensure the company remains attached to the remediation solution as opposed to solely the data breach event.
Communications Best Practices
When feasible, companies should issue a written apology from senior leadership to be delivered in conjunction with the consumer remediation payments or services as an added signal of regret for the data breach.
Request consumer feedback regarding the company’s overall breach response and the efficacy of its remediation solutions via digital survey. These surveys should be reviewed at the culmination of the response program and inform future plans and programs.
In the post-remediation phase, strive to remain visible to consumers, providing relevant updates into the company’s process modifications and security enhancements as a way to rebuild trust and credibility.
In our globally connected, technology-driven world, data breach events are a harsh reality. While data breaches themselves no longer guarantee irreparable damage to a company or its reputation, the manner in which a company responds to them can. When managed properly and communicated strategically, companies can emerge from data breach incidents with both their corporate reputation and the confidence of their consumers intact.
In the midst of a data breach response, the logistics of repairing the breach and working with regulators and enforcement agencies can take center stage. That said, it is critically important that the communication of response efforts – particularly that which is customer facing – will largely determine how the company is perceived by its consumers. The communications strategies and best practices outlined herein will ensure consumers view the company and its leadership as being good stewards of their business and doing the right thing, resulting in a growth of consumer loyalty, in some cases beyond what existed prior to the breach.