Find out more about our work, clients and projects below.
Data breach crisis plan 2018

How to protect yourself from a data breach crisis?


Carlos Maya
Share it

On April 5, 2018, Reuters reported that Sears and Delta Airline had been victims of a data breach through the company that provides them the online services, [24]7.ai.

Sears mentioned that it was notified in mid-March, which exposed the credit card data of approximately 100,000 of its clients. Delta said that personal data from passports, government, security and "SkyMiles" loyalty program IDs were not exposed. However, it couldn't say how many people's information had been compromised.

Last week before the news, Saks and Lord & Taylor also announced that they had been victims of data breach.

We are in the data and the phrase "information is power" era. This has changed from being cultural products about politics cliché to be an everyday mantra for millions of people in the world. That is why data breach incidents have increased and are dangerous, big and millionaires.

2014 was a particularly complicated year. According to information published in Cogent Business & Management, that year hackers had access to 85 million consumer accounts of large chain stores such as Target, Michaels, Neiman Marcus, Home Depot and Staples.

The consequences of these incidents were serious (companies suffered actions losses and millionaire expenses to cover the consequences) and took them all by surprise regarding the managing of data breach crises and hacking.

These situations demonstrated the little preparation of the companies regarding public relations, reducing their reaction before the audience and the press to simple announcements directed to the affected ones to silence the uncertainty. In any case, the companies offered overwhelming answers about how they would prevent this from happening again in the future, probably because they didn't even know about it.

During the subsequent years, similar situations continued and personal information had been more vulnerable. There have been so many of this situations, that it seems that they are already "normal" and "inevitable" since hackers are usually one step ahead of companies talking about cybersecurity (this is why companies hire them under millions to debug their systems).

Whether or not the attacks are already "normal", which is a fact, is that is extremely important that companies prepare themselves to face a possible public relations data breach crisis.

Can you imagine what would happen if all your years of brand building work were ruined in minutes by a cyber attack? Few things are as harmful to a company as a newspaper hack headline. Do you know if your company is ready for a crisis like that? What messages should you send? How to react? We will talk about this and more in this article.



Don't ask yourself if, but WHEN you will receive an attack.

What to do when you have been hacked?

According to the PWC data and security breach survey (2015) for the British government, 90% of large companies (Sony, Ashley Madison, VTech, among others) were victims of information theft between 2014 and 2015. In small businesses, 74% were affected.

It is not about whether you are going to be attacked or not, but about when (unless you remove all digital of your company and return to the paper and pencil era). You have to be prepared not only at cybersecurity level but also at public relations level to deal with the crisis. Especially because most of the affected companies don't realise the vulnerability until many days, or months, after the start of the attack. This is due to the fact that hackers do something with the stolen information, which draws the attention of the affected consumers and, therefore, the press. By then, the damage is now done and avoiding the crisis may be too late.

Did you know that according to a study by Deloitte, 33% of consumers trust MORE in a company when it transparently warns them that they have been a hack victim?



How to prepare a crisis prevention plan against a data breach?

Before finding yourself in such a situation, we recommend you follow these 9 steps:

  1. Decide which people in your company will form the communication team in a crisis or hire an expert agency to deal with it. Define the role of each one and the kind of situation they will respond in real time.

 

  1. Make a digital characteristics inventory, identify possible risks and threats, and perform impact practices. Do you use email a lot to keep contact with your customers? Make sure your email provider is safe. Also, pay attention if your people use the companies' cell phones.

 

  1. Determine exactly what documents you must show to the authorities and decide how your communication should be (reactive or proactive) before the public opinion, taking into account all the legal implications. Remember that your reaction should be different depending on whether you are a public or private company.

 

  1. Identify your main contacts in all your key communication areas (main consumers, partners, shareholders, government employees, journalists, influencers) and get closer to them. Work together with your agency and their experts in crisis management and communication, which can be an extension of your internal team.

 

  1. Choose someone from your company as a spokesperson and make sure they are well trained. You may need several spokespeople depending on the audience they should go to. Work hand in hand with your agency to identify them and train them.

 

  1. Define what messages you will spread, how and at what time. To do this, talk with your agency in order to establish what criteria must be met to send certain releases. Remember that a data breach crisis can last for hours, days and even weeks, and you must be prepared to deal with it during different stages. Be careful, the way to communicate the message is equal or more important than the message itself.

 

  1. Do not leave consumers aside, define how they could be affected and how you will help them. In addition, in this step, you must define how you are going to communicate the actions to follow to protect them and be with them.

 

  1. After the crisis, you must communicate what you have learned and the actions you have taken to prevent this from happening again.

 

  1. Don't forget to update your crisis plan constantly. Remember that hackers always go a step further and technology changes every day. Keep practicing, keep your spokespeople "fresh" and do not lose contact with your agency.



What to do after the damage has been done?

Remember, data breaches cost money and, above all, seriously affect the reputation of your company. When you detect that you have been affected, the first few hours are crucial.

The first thing you should do is close all your systems, identify, and isolate the affected area. Then, investigate if the hackers have not entered another of your areas.

Now, regarding public relations, the first thing you should do is calm down, do not panic, do not transmit nervousness to your employees, work as a team. Remember that losing control makes the situation worse.

The corporate response you send will depend on when it is discovered that you have been breached. A data breach is a technical error, but when it comes to light (via press or consumers), your response should focus on looking after your company's reputation. But whether you notice it internal or external, your technical teams must work hand in hand with other areas (especially public relations) to create a response strategy and thus limit the damage to your company.

Before speaking publicly, establish what was lost, who will affect it and how it happened. You shouldn't only tell the press, but also the authorities and consumers.



4 actions to follow in an emergency.

Assuming you have your crisis plan ready, it's time to apply it! Follow these steps:

 

  1. Communicate.

Do you think that hiding the crisis will benefit you? NO! On the contrary. Speak straight and clear with those affected as soon as possible and put emphasis on the face to face. Don't use euphemisms, be honest, show sorrow and regret, put into practice everything (those affected will have MANY questions), be clear, focus on keeping a good relationship with the victims, be empathetic.

 

  1. Create and publish your first statement.

Now you faced those who will be directly affected, it is time to post a general statement for others, especially if you think that this crisis could go beyond the press or viral. Always check your plan and make easier for people to find your version of the situation (for example, put it in your website's homepage).

Tell your story, don't lie, be honest and transparent, clearly mention the consequences and what you will do about it. Answer all the questions in advance, be aware of SEO in a matter that your statement is the first thing people will find when searching information.

 

  1. Make sure your social media team is ready.

Follow up what is said about you on social media and answer the most relevant questions. Provide timely information, detect rumours and fake news, and be prepared for insults and jokes, do not take it personally.

 

  1. Watch your reputation online.

Related to the previous step, if the hack already attracted too much attention, it is very likely to go viral on social media. Overtake the situation and be the one to set the agenda. Remember that the incident can be echoed many months after it happened, so you should follow up the consequences.

The role of public relations when facing a crisis due to a data breach

We will mention the main functions that an agency has in case you faced a data breach crisis, hack, leak, etc.

    • The first and most important is planning and anticipate (preparation of crisis plan).
    • Work hand in hand with your company's key areas related to cybersecurity to prepare crisis plans.
    • Media training for your spokespeople.
    • An immediate crisis response committee creation. It is important you consider that your company's staff may know a lot about data and errors, but not about crisis management. It is recommended to have an experts team to deal with it and work with the internal areas of the affected company.
    • Perform constant tests in with the company key areas to analyze different scenarios.
    • Reduce the damage in case of crisis.
    • Understand the concerns that affected will have, the questions that the press will ask and how the partners, shareholders, and consumers, in general, will react.
    • Recovery and rehabilitation of the brand after a crisis.
    • Constantly update the crisis plan.
    • Identify what is an incident and what is not.

This last point is very important for choosing a cybersecurity expert agency, that works properly to help you with the continuity of your operations.



Success and horrible case studies facing a data breach

No one is safe, not even the big companies, and as we mentioned before, the thing here is not whether they will attack you or not, but when.

Here are just some examples of companies that were attacked and the consequences they faced:

  • Wal-Mart (2009): information theft from their ATMs. This wasn't publicly known because it was treated as an "internal problem".
  • Home Depot (2014): theft of 60 million credit card numbers. The attacks lasted for months before being discovered. The incident potentially affected all US and Canadian cardholders.
  • Target (2013 - 2014): information of more than 110 million consumers breached; the company announced that the expenses associated with this hacking increased to 148 million dollars.
  • Apple (2014): hackers managed to enter the celebrities' iCloud accounts, some examples are Jennifer Lawrence, Kate Upton, and Kirsten Dunst, whom they stole intimate photographs. The attack was known only days before the iPhone 6 launch, which affected its debut economically.
  • Neiman Marcus (2014): hackers accessed the customers' credit history and more than 60,000 alerts of suspicious activity were activated. At first it was believed that the attack had affected 1.1 million credit cards, but in the end, only 9,000 were used fraudulently, according to the company.
  • Uber (2016): 57 million users personal information exposed and 60,000 drivers. The company recognized the breached after a year. It paid the hackers $100,000 to hide all traces of their "work". Its value in the market decreased dramatically.

And the list goes on and on: Yahoo!, Adult Friend Finder, eBay, Equifax, JP Morgan Chase, PlayStation Network, VeriSign, Adobe...

Now we will briefly see a couple of cases where good and bad public relations management are exposed in case of an incident.

 

The Anthem case: the correct way to handle a data breach.

Anthem data breach case study

First, let's look at a positive case. The Anthem case, the second most important health insurance company in the United States.

It suffered a data breach in 2015 due to a password stolen by hackers, who broke into the database of approximately 78.8 million current and former customers. It was the greatest attack in history to the care industry in that time.

After the incident and with the help of its agency, Anthem applied the opportunity (time) principles and transparency in this incident in order to survive the crisis and keep their consumers' trust.

Its first action was to execute a one-week notification plan for the data breach, but it also launched a microsite that could be accessed through the company's homepage. The microsite included a section of frequent questions and a letter from its CEO, which was also shared on social media and sent to customers who chose to receive information about the company.

Anthem tweet to data breach crisis

Lastly, all consumers who were affected were offered a free credit service monitoring for two years and one million dollars of insurance coverage for identity theft.

As you can see, Anthem's actions didn't lie about the situation but they reduce its effects by giving their customers' confidence, providing the answers they needed, showing that the company had control of the situation and preventing from worsening. The previous demonstrates the importance of having a crisis plan ready for these cases.



The Target case: the wrong way to handle a data breach.

Target data breach case study

In contrast, let's look at the Target case, one of the most important retail chains in the United States.

In 2013, data from around 40 million customers' credit cards were compromised and the company decided not to make it public until a famous security blog showed it in February 2014.

In addition, when consumers became aware of the issue, they tried to call the Target service center, collapsing the lines and system.

The above is enough to make us aware of the company's mistakes, first by hiding the situation. Subsequently, it didn't act with transparency nor speed before its clients; and finally, their managers resigned and the company lost billions of dollars.

Things would have been very different if Target had had a crisis plan and if it had not reacted in that way.



Conclusion

The key word in this data breach thing is protection: your agency should help you protect your values, customers, reputation, and future in the long term. Keep this word in mind all the time, plan in advance what to do in case of a crisis, approach the experts to know how to react during and after it, and never forget the fact that every company that handles important data digitally is vulnerable to this type of incidents.

 

New Call-to-action