Expert Interview with Oliver S. Schmidt -- Managing Partner, C4CS, LLC
1. How do you define a data breach, and what industries and companies are affected by data breaches?
We define a data breach as the intentional or unintentional access, disclosure, or acquisition of sensitive, protected or confidential data to one or more unauthorized individuals.
We use this broad definition because it applies to anything from the accidental loss of a single unencrypted laptop that has confidential information on it to a massive IT system hack that results in unauthorized access to a large number of bank accounts, health records, Social Security numbers, or other confidential data.
While businesses of all sizes have data at risk, the larger companies in sectors such as financial services, health care, and retail are typically more concerned about cyber security related risks. These companies are also more likely to make comprehensive crisis preparedness planning a priority.
However, because a data breach can hit any company at any time no matter the size, industry or location, we encourage all of our client partners to assess the potential reputation and financial damage of a data breach and implement necessary steps to increase related crisis readiness as soon as possible.
2. Is it true that data breaches are a top concern for senior management teams and corporate boards?
Yes, that is correct. One only needs to take a look at the risk factors publicly traded companies identify in their annual reports. Data security risks increasingly play a prominent role because all publicly traded companies rely on properly functioning IT solutions that safeguard confidential data at all times.
The Allianz Risk Barometer 2016, which surveyed more than 800 risk experts from about 40 countries, concluded that on a global scale companies are less concerned about traditional crisis risks such as fire or natural disasters. The key developing business risks are cyber incidents such as cyber crime, data breaches and IT failures. The same risk experts also identified cyber incidents as the top emerging risks over the next 10 years.
Of course, print and broadcast as well as social media have played a big role in spreading information concerning significant data breaches including those that affected Anthem, eBay, JP Morgan Chase, Target, United Airlines, and other large corporations and their stakeholders. We share this graphic with management teams that have yet to tackle data breach related crisis preparedness planning and point out that Google and other expert sources estimate the number of daily cyber security incidents around the world to be in the thousands. According to a report released by the Identity Theft Resource Center, more than 750 tracked data breaches occurred in 2015 just in the United States.
Fortunately, a growing number of senior executives and corporate boards have data security risks on their radar. They know that if a data breach of a certain magnitude hits their company unprepared, stakeholder trust would inevitably erode and damage to corporate reputation and the bottom line could be catastrophic. These concerns are backed up by recent research conducted by the Ponemon Institute and published in October of 2015. The institute's study regarding the cost of cyber crime in the United States revealed that the mean annualized cost for about 60 benchmarked organizations is $15 million per year, ranging from about $2 Million to $65 million per year per company.
There are also more and more important research findings concerning consumer opinions and related actions in response to data breaches available. The research results make it clear that no company can afford to underestimate the negative impact a data breach can have on the business. Here are two recent studies of interest.
A global survey conducted on behalf of Gemalto in October and November of 2015 found that “nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen."
The international law firm Morrison & Foerster recently published the results of an online survey that was conducted in the U.S. in November of 2015. According to the report, "more-educated, higher-earning consumers are more likely to stop buying from a business because of a data breach. Among respondents, approximately one in five (22%) reported that they no longer purchased products or services from a company because of a reported data breach. High-earning, well-educated consumers reacted the least favorably to this scenario."
3. What should companies do in order to prepare for a data breach and protect corporate reputation?
First, it is necessary to thoroughly assess the current preparedness level. Lots of questions have to be answered as part of this process. What does the IT function already have in place to prevent, quickly identify and effectively respond to a data breach? How well is management across all company locations, hierarchical levels, and functional areas prepared to respond to a data breach? Which stakeholders may be affected by a data breach and what will be the most effective way to communicate with them in case of an incident? Do existing crisis response plans and procedures also cover data breach incidents? What if an important business partner got hacked and the data breach severely impacted both businesses? When and how is management going to share data security related preparedness planning information with relevant stakeholders including employees, lawmakers, regulators, and shareholders? Do the company's in-house attorneys and external legal counsel have the required knowledge and experience to help manage the data breach response? Are designated primary and backup spokespersons capable of answering tough technical questions from reporters? Have all primary and backup members of the company's crisis response teams participated in crisis communication training, tabletop exercises and crisis response drills that utilize realistic data breach scenarios? And so on.
We regularly speak with senior managers who believe their companies are quite well prepared even though data breach specific incident response procedures do not exist, the crisis communication plan has not been updated to include data breach related information, etc. In these situations, enlisting the help of external crisis and reputation management experts can mean the difference between successfully mitigating a data breach crisis and suffering significant loss to brand equity, reputation and the bottom line.
As data breaches are frequently discovered by affected stakeholders before management becomes aware of them, Internet and social media monitoring plays an increasingly important role in enabling the prompt identification of and effective managerial, operational and communication response to a data breach. Long before the crisis happens, data breach related message development regarding potentially affected internal and external stakeholders should occur and a dark site that can quickly go live when a data breach hits should be added to the corporate web site. On-camera media training specifically geared toward highly technical data breach related questions from print and broadcast news media outlets as well as bloggers also needs to be conducted during the pre-crisis phase.
Senior management must understand and act upon the fact that cyber security is not just an IT problem. And because successfully protecting confidential data is a must, sufficient resources have to be made available so a customized incident response plan can be devised and executed. Legal, corporate communications, finance, HR, and other departments need to work in lockstep to enable mandatory breach notification, thorough incident investigation, and timely and coherent initial and follow-up communication with other relevant stakeholders including employees, customers, suppliers, etc. Such communication must provide stakeholders the opportunity to ask questions and provide feedback.
Last but not least, we recommend our client partners consider data breach insurance. It is important to look at different coverage options and carefully evaluate offers from multiple providers.
4. How should companies respond to a data breach from a crisis communication and reputation management perspective?
When a data breach occurs, the overarching goal must be to do right by the company's stakeholders, and especially consumers. If consumers are directly impacted by a data breach - for example when consumer financial data or health records have been compromised - other stakeholders including regulatory authorities, shareholders and the news media also tend to be less critical of how the company is handling the crisis if management publicly acknowledges the breach as soon as possible and immediately begins to communicate how damage suffered by individual consumers has been minimized and what steps have been and will be taken to rectify the situation. It is important to keep in mind that while the company is technically also a victim, its stakeholders will blame management for not preventing the illegal activity from happening. As a result, publicly expressing empathy and showing a strong commitment to transparent communication will go a long way toward rebuilding stakeholder trust and corporate reputation.
There are a number of other factors that complicate an effective communication response to a data breach. I already mentioned the fact that management is often not aware of a data breach until affected stakeholders alert the company - or the news media - and voice their concerns. The news media will investigate the company's data breach preparedness and response and put pressure on management to thoroughly explain what happened and why. It may, however, take several weeks or even months for forensics experts to determine the exact cause of a data breach, and for example due to legal requirements the company may not be permitted to divulge information requested by inquiring stakeholders.
Effective employee communication also plays a critical role in successfully responding to data breaches and protecting corporate reputation and the bottom line. The board of directors must be kept abreast. The management team must stay informed concerning what is happening and coherently and timely convey data breach related information internally and externally. Front line employees need to know how to respond to questions and criticism from stakeholders with whom they interact on a daily basis.
The to do list is long, and there is no guarantee that whatever strategic and tactical decisions are made in response to a data breach will lead to the desired outcome. However, companies that went through a comprehensive crisis preparedness planning process which included establishing proper communication responsibilities and procedures as well as conducting recurring scenario-based crisis communication training, tabletop exercises, and crisis drills will fair much better when a data breach happens than those that neglected the necessary preparedness planning.
About the interviewee:
Oliver S. Schmidt is managing partner of C4CS® (www.c4cs.com), which specializes in strategic communication and crisis management. Based in Pittsburgh, Pennsylvania, Schmidt has worked with clients in the Americas, Asia and Europe, and has provided consulting and training services to senior managers in several dozen countries. He regularly advises corporate leaders in regard to cyber security related incident preparedness planning and crisis response and makes presentations to professional audiences.
Mr. Schmidt can be contacted at firstname.lastname@example.org.
Follow his company on Twitter: @C4CSinfo
Sign up for the C4CS® eNewsletter: http://goo.gl/whaoM3