ITL #494 - Data breach damage control: the importance of proactive planning3 months, 3 weeks ago
It is imperative to have a well-defined reputation and communications strategy in place for handling a data breach as an integral part of an incident response plan. By James Lynch.
As the number of data breaches continues to rise, so does their impact on affected businesses. According to IBM’s latest Cost of a Data Breach report, the average global cost of a data breach reached $4.35 million last year – a 12.7% increase from 2021, and the highest figure ever recorded. But the true cost invariably extends further because reputational damage also serves to devalue an organisation’s international brand, often with enduring consequences.
Chief information security officers (CISOs) routinely examine the potential financial impact of a data breach on their organisations by using the latest available data to quantify the levels of risk and mitigate their potential impact. In formulating a strategic response, they then prepare the business accordingly, not least by evaluating myriad types of cyber risk and ensuring that these are minimised through appropriate training and procedures.
The damage done by data breaches is well-documented from a financial perspective. Often less certain is how to handle the reputational damage that arises by using effective communications protocol and deploying solid reputation management strategies. The old adage holds true: failing to prepare is preparing to fail.
In addition to the risk of significant damage and immediately quantifiable cost, CISOs and risk managers also need to have clear and robust plans in place for handling any reputational fallout. Beyond the organisational response contained in their cyber incident response plans, this should also accommodate planning for and implementing a reputation and communications strategy.
Data breaches are one of the most common and fastest ways to undermine a company's reputation. According to a report published by Forbes Insight, 46% of organisations surveyed had suffered reputational damage following a data breach while 19% of them suffered both reputational and brand damage resulting from a third-party security breach.
Data breaches serve to undermine trust that a company has worked very hard to build over many years – not only among existing customers and potential clients, but also across the wider market. Long term, the detrimental consequences that result from this erosion of trust are clear: a loss of business, a decrease in consumer and shareholder confidence and impaired relations with suppliers.
Evidence of taking it seriously
It is therefore imperative to have a well-defined reputation and communications strategy in place for handling a data breach as an integral part of an incident response plan. Critically, the comms strategy must centre on being able to demonstrate that the issue has been taken seriously and that any deficient procedures which were in place prior to the breach will be amended or replaced as a matter of urgency going forward. Where human error is at fault for the breach, rather than a technical information security issue, the focus should be placed on increased training for staff and additional internal processes to avoid the issue arising again.
A prominent example of how not to manage a communications response around a data breach was Facebook’s response to a 2019 breach when data from 533 million people in 106 countries was published on a hacking forum. The scale of the leak did not emerge, however, until 2021 when a Facebook (now Meta) email was accidentally sent to a Belgian news outlet.
This revealed Facebook’s original strategic response: an expectation of more such incidents, a plan to frame it as an industry-wide problem that was a normal occurrence, and a belief that media attention would subside. Following the 2021 leak, Facebook said the data was old – from the previously reported leak in 2019 – and denied any wrongdoing, stating that the data was scraped from publicly available information on the site.
A warning to others
But what surfaced in 2021 highlights Facebook as a prime example of a poor corporate communications response, and a warning to others of how not to proceed. Facebook focused its response by highlighting the methodology used to cause the data breach and noted that the issue had since been fixed. But in focusing exclusively on the technological aspects of the problem, the social media giant notably forgot about the human aspect.
It failed to apologise for the reasons that allowed the leak to happen in the first place or to reassure consumers about the potential misuse of their personal data. This oversight prompted widespread criticism and significant user concern.
Thanks to extensive media reporting of the Facebook leak and a host of other high-profile data breaches in recent years, together with the introduction of GDPR in May 2018, more individuals have come to understand and appreciate the true worth of their personal data. Indeed, a recent advertising campaign from Apple places the focus squarely on the company’s privacy features. Because of the importance data privacy now holds, any significant data breach is a genuine cause for concern for the business involved.
The Facebook leak has led to a probe from the Irish data commissioner about whether it broke GDPR rules and a class action from affected EU citizens whose personal data was leaked. It is therefore no surprise that it has become a case study of what organisations should not do when faced with a comparable situation.
The human aspect
Instead, companies must ensure that the human impact of a data breach is never simply ignored and that potential risks and outcomes are always identified through a customer lens. They need to recognise that from a consumer or customer perspective, it is just as important to address these concerns as outlining the technical and procedural steps that are being taken to avoid any future breaches. After all, they trusted you with their data and, regardless of how it happened, that trust was breached.
Of course, there are multiple steps that can be taken to help avoid data breaches from arising in the first place, pre-empting the need for retrospective efforts in reputation management in the aftermath of a breach. Notably, strong internal communications can be implemented concerning the dangers of unsolicited messages that seek any kind of employee information, password security, etc.
CISOs should work closely with legal and communications teams in anticipation of a breach occurring. Being proactive rather than reactive will enable a company to prepare a sufficiently robust plan in advance that can help to protect the company from both a legal and a media perspective.
In an era where the news of a data breach can spread across the globe in an instant, being able to act rapidly and confidently is of paramount importance and can mitigate the damage to a company’s hard-won reputation.
James Lynch is a Partner at Maltin PR, an award-winning and internationally recognised London-based Legal and Litigation PR firm specialising in Legal PR, Litigation PR, Litigation Support, Crisis Communication, and Reputation Management.mail the author
visit the author's website
Forward, Post, Comment | #IpraITLWe are keen for our IPRA Thought Leadership essays to stimulate debate. With that objective in mind, we encourage readers to participate in and facilitate discussion. Please forward essay links to your industry contacts, post them to blogs, websites and social networking sites and above all give us your feedback via forums such as IPRA’s LinkedIn group. A new ITL essay is published on the IPRA website every week. Prospective ITL essay contributors should send a short synopsis to IPRA head of editorial content Rob Gray email
Share on Twitter Share on Facebook