Communication Tools
Managing Data Loss and Theft
Today, many companies reserve a special fear for the nightmare scenario of the loss or theft of their data.
Indeed, the damage to U.S. companies and consumers from data loss and theft – in all its forms – is equal to the GDP of an oil-rich Middle Eastern Nation: $56.6 billion in 2005 and growing. More than one in four Americans had personal digital data exposed to theft in 2005-2006. Furthermore, more than 75% of companies in a recent survey reported they had been exposed to security breaches engineered by high-tech fraudsters, up from almost 25% a year earlier.
And the epidemic spread in 2007. The Identity Theft Resource Center estimates that, as of December 18, 2007, more than 79 million personal records had been compromised, an almost 400% increase from the nearly 20 million personal records lost in 2006.
The good news is that forward thinking organizations, from government agencies to banks and from universities to multinational corporations, are doing the right thing now – proceeding as if a data breach will happen. Wisely, they are planning ahead to protect brand credibility and preserve customer trust. They are evolving new and fundamental best crisis management and communications practices that emphasize:
Transparency. Disclose what you can about the incident as quickly as you can, including timelines and immediate actions to remedy the situation and hold those responsible accountable. Do so at the soonest possible opportunity. If you don’t tell the story, someone else will. You won’t like their version and the world will wonder why you are silent.
Concern, commitment, and action. Immediately apologize to all who have been affected even as you depict yourself as likewise a victim of the wrongdoing. The messaging needs to be fairly nuanced in order to capture both positional advantages: regret that people have suffered or been inconvenienced on your watch, and disappointment that your standards have been violated, especially if that violation results from the actions of a rogue employee.
Concrete steps to protect consumers. Provide affected stakeholders with a no-cost means to monitor their credit after a breach. It is a cost of doing business in the Internet Age. If the law requires you to pay in any event, you should still publicly highlight that you are doing so most willingly. Exceed disclosure requirements whenever possible; if the law only requires disclosure in the states where affected consumers live, consider disclosing nationally to confirm your total commitment to safety.
Cooperate with authorities. The relationship with law enforcement and regulatory agencies is naturally critical. If possible, coordinate every press release with those agencies. If possible, enlist the investigators as allies so your organization becomes part of the investigation and, therefore, part of the solution.
With enough resolute proactive effort, organizations that have been through the eye of the data breach storm are in a unique position to brand themselves as leaders in protecting personal privacy. They can talk about enhanced hiring procedures, amended privacy policies, and corrected IT loopholes.
Generally, the public not only supports those who’ve learned their lesson, but looks to them for leadership as well.
Related Articles: