How to protect yourself from a data breach crisis?

On April 5, 2018, Reuters reported that Sears and Delta Airline had been victims of a data breach through the company that provides them the online services, [24]7.ai.

Sears mentioned that it was notified in mid-March, which exposed the credit card data of approximately 100,000 of its clients. Delta said that personal data from passports, government, security and "SkyMiles" loyalty program IDs were not exposed. However, it couldn't say how many people's information had been compromised.

Last week before the news, Saks and Lord & Taylor also announced that they had been victims of data breach.

We are in the data and the phrase "information is power" era. This has changed from being cultural products about politics cliché to be an everyday mantra for millions of people in the world. That is why data breach incidents have increased and are dangerous, big and millionaires.

2014 was a particularly complicated year. According to information published in Cogent Business & Management, that year hackers had access to 85 million consumer accounts of large chain stores such as Target, Michaels, Neiman Marcus, Home Depot and Staples.

The consequences of these incidents were serious (companies suffered actions losses and millionaire expenses to cover the consequences) and took them all by surprise regarding the managing of data breach crises and hacking.

These situations demonstrated the little preparation of the companies regarding public relations, reducing their reaction before the audience and the press to simple announcements directed to the affected ones to silence the uncertainty. In any case, the companies offered overwhelming answers about how they would prevent this from happening again in the future, probably because they didn't even know about it.

During the subsequent years, similar situations continued and personal information had been more vulnerable. There have been so many of this situations, that it seems that they are already "normal" and "inevitable" since hackers are usually one step ahead of companies talking about cybersecurity (this is why companies hire them under millions to debug their systems).

Whether or not the attacks are already "normal", which is a fact, is that is extremely important that companies prepare themselves to face a possible public relations data breach crisis.

Can you imagine what would happen if all your years of brand building work were ruined in minutes by a cyber attack? Few things are as harmful to a company as a newspaper hack headline. Do you know if your company is ready for a crisis like that? What messages should you send? How to react? We will talk about this and more in this article.

Don't ask yourself if, but WHEN you will receive an attack.

According to the PWC data and security breach survey (2015) for the British government, 90% of large companies (Sony, Ashley Madison, VTech, among others) were victims of information theft between 2014 and 2015. In small businesses, 74% were affected.

It is not about whether you are going to be attacked or not, but about when (unless you remove all digital of your company and return to the paper and pencil era). You have to be prepared not only at cybersecurity level but also at public relations level to deal with the crisis. Especially because most of the affected companies don't realise the vulnerability until many days, or months, after the start of the attack. This is due to the fact that hackers do something with the stolen information, which draws the attention of the affected consumers and, therefore, the press. By then, the damage is now done and avoiding the crisis may be too late.

Did you know that according to a study by Deloitte, 33% of consumers trust MORE in a company when it transparently warns them that they have been a hack victim?

How to prepare a crisis prevention plan against a data breach?

Before finding yourself in such a situation, we recommend you follow these 9 steps:

1. Decide which people in your company will form the communication team in a crisis or hire an expert agency to deal with it. Define the role of each one and the kind of situation they will respond in real time.

2. Make a digital characteristics inventory, identify possible risks and threats, and perform impact practices. Do you use email a lot to keep contact with your customers? Make sure your email provider is safe. Also, pay attention if your people use the companies' cell phones.

3. Determine exactly what documents you must show to the authorities and decide how your communication should be (reactive or proactive) before the public opinion, taking into account all the legal implications. Remember that your reaction should be different depending on whether you are a public or private company.

4. Identify your main contacts in all your key communication areas (main consumers, partners, shareholders, government employees, journalists, influencers) and get closer to them. Work together with your agency and their experts in crisis management and communication, which can be an extension of your internal team.

5. Choose someone from your company as a spokesperson and make sure they are well trained. You may need several spokespeople depending on the audience they should go to. Work hand in hand with your agency to identify them and train them.

6. Define what messages you will spread, how and at what time. To do this, talk with your agency in order to establish what criteria must be met to send certain releases. Remember that a data breach crisis can last for hours, days and even weeks, and you must be prepared to deal with it during different stages. Be careful, the way to communicate the message is equal or more important than the message itself.

7. Do not leave consumers aside, define how they could be affected and how you will help them. In addition, in this step, you must define how you are going to communicate the actions to follow to protect them and be with them.

8. After the crisis, you must communicate what you have learned and the actions you have taken to prevent this from happening again.

9. Don't forget to update your crisis plan constantly. Remember that hackers always go a step further and technology changes every day. Keep practicing, keep your spokespeople "fresh" and do not lose contact with your agency.

What to do after the damage has been done?

Remember, data breaches cost money and, above all, seriously affect the reputation of your company. When you detect that you have been affected, the first few hours are crucial.

The first thing you should do is close all your systems, identify, and isolate the affected area. Then, investigate if the hackers have not entered another of your areas.

Now, regarding public relations, the first thing you should do is calm down, do not panic, do not transmit nervousness to your employees, work as a team. Remember that losing control makes the situation worse.

The corporate response you send will depend on when it is discovered that you have been breached. A data breach is a technical error, but when it comes to light (via press or consumers), your response should focus on looking after your company's reputation. But whether you notice it internal or external, your technical teams must work hand in hand with other areas (especially public relations) to create a response strategy and thus limit the damage to your company.

Before speaking publicly, establish what was lost, who will affect it and how it happened. You shouldn't only tell the press, but also the authorities and consumers.

4 actions to follow in an emergency.

Assuming you have your crisis plan ready, it's time to apply it! Follow these steps:

1. Communicate.

Do you think that hiding the crisis will benefit you? NO! On the contrary. Speak straight and clear with those affected as soon as possible and put emphasis on the face to face. Don't use euphemisms, be honest, show sorrow and regret, put into practice everything (those affected will have MANY questions), be clear, focus on keeping a good relationship with the victims, be empathetic.

2. Create and publish your first statement.

Now you faced those who will be directly affected, it is time to post a general statement for others, especially if you think that this crisis could go beyond the press or viral. Always check your plan and make easier for people to find your version of the situation (for example, put it in your website's homepage).

Tell your story, don't lie, be honest and transparent, clearly mention the consequences and what you will do about it. Answer all the questions in advance, be aware of SEO in a matter that your statement is the first thing people will find when searching information.

3. Make sure your social media team is ready.

Follow up what is said about you on social media and answer the most relevant questions. Provide timely information, detect rumours and fake news, and be prepared for insults and jokes, do not take it personally.

4. Watch your reputation online.

Related to the previous step, if the hack already attracted too much attention, it is very likely to go viral on social media. Overtake the situation and be the one to set the agenda. Remember that the incident can be echoed many months after it happened, so you should follow up the consequences.