Why reputation matters after a cyber attack

Jason Maloni, President of global crisis communications firm JadeRoq, speaks to HGI about the critical role of reputation management after a data breach.

At what stage do you get involved in a cyber security incident?

JadeRoq is engaged as soon as it is believed that the disclosure of an incident will make news. This could be because of a facet of the breach: its size, scope or the affected parties. Or, it could be some unique aspect of the business at the centre of the incident, for example, if it’s not the first time this has happened.

The goal is always to comply with the law but also disclose difficult news in a compassionate manner. 

While JadeRoq is often the fourth phone call an organisation makes in the chain – after its insurers, legal counsel and IT forensics – we aspire to be engaged early in the process in order to help prepare with the team and properly shape the disclosure. Any disclosure has unique complexities. A great deal must happen in a short period and time is always the most precious commodity. Inevitably, companies that do it right take the field with a team that is prepared to execute a specific, strategic plan – everyone knows their roles and there is a Plan A, Plan B, and so on. The goal is always to comply with the law but also to disclose difficult news in a compassionate manner with a business’s employees, customers, partners or patients in mind. 

What is your immediate priority after being called in?

Our job is to quickly understand the facts. What do we know? What do we know we don’t know? And what are the best answers to some very difficult questions? The community will want to know what happened, what is the business doing about it and why they should continue to trust the business.

When do you go public about a breach?

As soon as you can offer good answers to the questions above. You will never have 100% insight into an incident but you must be able to address what you are doing to protect those who entrust to you their personal information. Regulators encourage quick disclosure, but I don’t know an attorney or insurer who would agree that it makes sense to rush out a statement following a data breach or cyber incident if you can’t answer some of the basic questions.

A premature disclosure can create more anxiety, so while legal and compliance guidelines are very important – and you need to know the law – it makes far more sense to ascertain the facts first and define how your business is fixing the issue.

What are the main PR mistakes organisations make after a cyber incident?

The two key mistakes are overcommunicating or undercommunicating. Very often businesses want to be aggressive and get their CEO to make a statement. But that can often elevate the tension and raise concerns if your employees, customers and partners are not used to the CEO being the spokesperson. You might use your CEO at some point but that is never typically the first card you play.

You must be able to address what you are doing to protect those who entrust to you their personal information.

Saying too much before you have all the facts and then later having to walk back your story, when forensics determines an incident is much larger than previously believed, is also a common pitfall. Saying too little though can be just as damaging. 

How big a role does social media play?

It can be a wonderful tool to help you reach a lot of people quickly, but if you don’t handle the online chatter it can also be a very difficult challenge. A smart business will factor a social media approach into its incident response plan by making sure it can produce quick answers to questions, so its online community can see they are getting information fast. Quickly pushing conversations with distressed customers offline will also help prevent them from venting their frustrations to others.

Does the advice you give ever conflict with that of their lawyers?

I’m very concerned with a business’s ability to continue trading right now, whereas attorneys are concerned about compliance and the answers they have to provide to regulators, as well as lawsuits. While our objectives are in line, our paths to get there might vary.

Often the attorneys don’t like the CEO or executives making an apology, but sometimes people want to hear one and it can go a long way to repairing relations with customers and preserving its brand. 

The attorneys who handle a lot of privacy work appreciate that an organisation must marry strong words with decisive action in order to remediate an incident. Good lawyers appreciate there are optics [ways in which an event or course of action is perceived] to proper disclosure and I see less conflict between legal advice and reputation management advice these days. 

Are companies handling incidents better?

They are getting smarter about not just having insurance but also establishing relationships in advance of an incident with good lawyers, IT forensics experts, and reputation management consultants. They know their team so there is no delay with sorting out contracts or exchanging business cards [when an incident occurs]. Getting resources ready so they can be deployed quickly is a huge benefit that many businesses didn’t have in place four or five years ago.

A smart business will factor a social media approach into its incident response plan by making sure it can produce quick answers to questions.

I’m still called into issues where I don’t know the organisation, but many now realise the job is easier if the team knows each other – and importantly know the organisation – before an incident happens.

Can handling a cyber incident well actually enhance an organisation’s reputation?

Absolutely. I’ve been a part of responding to a number of breaches where an organisation has ultimately enhanced its reputation because it took aggressive measures to address a problem.

The Heartland Payments System data breach in 2009 – with the loss of 130 million card numbers – was the largest ever loss of bank-card data at the time, but the company used the incident as an opportunity to demonstrate leadership. Within a few days, Heartland had made direct phone contact with each of its 120,000 customers to tell them what they knew about the breach and how important each customer was to them. Even the CEO was on the phone to customers. Its CEO shared the malware that hit Heartland with the company’s competitors so they knew what to look for. Later it released new security measures that were the best in class.

People understand that bad things happen. It’s when organisations don't take steps to fix the problem or show concern for their community that people don’t forgive. 

While its reputation suffered a huge initial hit, Heartland’s stock rose over time and the board and leadership remained intact. News outlets lauded its response as being the benchmark in leadership and the way to handle a crisis. It used the incident as an opportunity to show people what proper response looked like.  

People understand that bad things happen. It’s when organisations don't take steps to fix the problem or show concern for their community that people don’t forgive. 

Tags: Cyber risk

All comments