Data Breach Response: Taking the Uncertainty out of Communications
Franchises must prepare for digital crises to protect not only customers but their most valuable asset, the brand.
By Michael Fox
When Information Security magazine dubbed 2014 “The Year of the Data Breach,” the grand total of people surprised by this “award” was: zero. The headlines, litigation, and billions of dollars spent on data breach issues had foretold this tale.
And with unanimous predictions that 2015 will be worse, companies of all sizes are reluctantly accepting the new paradigm of “when, not if” they will be thrust into a cyber issue of their own.
Indeed, this year began with the January announcement by Anthem Healthcare that nearly 80 million people were affected by its breach. Not surprisingly, the size and scale of cyber security incidents continue to escalate over time and so do the costs. While Verizon estimates the financial cost of breaches in 2014 to be $400 million to $700 million, Juniper Research forecasts the price tag will increase fourfold by 2019.
Because a cyber attack usually targets a “network,” franchised organizations face a unique set of obstacles to respond to such incidents. By definition, franchises operate in a more loosely affiliated manner than a traditional corporate structure where command-and-control systems are better suited to maintaining security, and responding to an incident should it occur. The franchise model presents challenges across a number of areas, including: IT systems – are all franchisees on the same system? Who oversees PCI compliance?; legal – at what point does the franchisor expose itself to claims of vicarious liability by directing the response to a breach at a franchised location?); and communications – how best to deliver a unified brand message about an incident that may have impacted only a few franchisees?
Moreover, the nature of a data breach means that it is often very difficult – and can take considerable time, which is always in short supply in a crisis – to determine what actually happened, how it happened, who was affected, and to what extent. Additionally, by the time the organization learns it has been a victim, a host of other parties such as credit card issuers, banks, payment processors, and law enforcement authorities have already found out. As a consequence, public disclosure of the breach is not always within your control.
Buffeted by these relentless forces, organizations face a dramatic choice: be controlled by events, or seize control of them. And franchises face the additional decision of asserting centralized control or deferring to individual franchisees.
Today, the best practices in data breach and crisis communications make clear that a skilled vulnerability analysis, putting the right team in place ahead of time, detailed scenario planning, development of materials, and real-time exercises provide significant value. Critical to this process is assembling the right resources in advance of an event.
Since notification laws are currently determined on a state-by-state basis it is essential to have attorneys on the team who understand the appropriate state laws and can ensure that the ensuing communication meets the legal requirements and sufficiently satisfies regulators, namely state attorneys general.
Effective breach response also involves the provision of some form of credit monitoring or fraud protection for those individuals who have been victimized. There are a wide range of services and providers, and it is much better to evaluate them and build relationships, even enter into agreements that could be triggered in the event of a need in advance. You don’t want to have to negotiate with the fire department when your house is burning.
Similarly, having pre-established relationships with a forensic IT firm that is familiar with your technology infrastructure will allow for a much shorter ramp-up time should a situation occur. In turn, this will allow the organization to more quickly understand what happened, how it happened, and the data that was compromised, all of which are critical elements in the communication process.
Finally, communications firms with specific experience in data breaches can help craft the messaging and communications strategies that are necessary to minimize damage to the brand and the business, and help put the organization on the road to recovery as quickly as possible.
All of these entities should be identified in advance and participate as part of a data breach crisis communications team.
Franchised organizations also need to go a step further and involve their franchisees in this process to secure necessary buy-in, either through a franchise council, regular communications, or during an annual franchise meeting. Typically a data breach would qualify as a “brand event” that necessitates, and legally permits, a franchisor to exercise control over the response without assuming liability. Since consumers do not differentiate between a corporate brand and a franchised location, and given that data breaches transcend the four walls of a retail location, it is important that the response be viewed through the broad lens of the system’s brand.
At the same time, response coordination and message alignment in the aftermath of a breach is critical. While national media will devote coverage to significant breaches, the real threat to a franchised organization comes in local markets where print, broadcast, and online media will focus on the impact to local consumers. With TV cameras showing up outside of franchised units and local papers or blogs opining on the implications of patronizing a specific location, the potential for damaged goodwill and lost sales is real.
The substance and style of communication following a breach ideally should adhere to five overarching principles:
- Facts: Information is king in the aftermath of crisis: what happened, how did it happen, what was impacted? In the absence of factual information fear, speculation, and false information will fill the void. Because conclusive facts are often rare immediately following the discovery of a breach, it is important to communicate process. What is being done to investigate and get the facts, e.g., hiring advisors, cooperating with law enforcement, working non-stop, etc..
- Empathy: Until you make clear your concern and regret to those who were affected – your customers – no one will listen or care what else you have to say. Implicit in your customer relationship is a promise to protect the privacy and security of the information they provide to you. A data breach represents a broken promise and therefore requires genuine contrition and empathy for the inconvenience and potential harm that has been caused.
- Accountability: It is important to remember that although you were the target of a criminal act, you are not the victim, your customers are. Whether the hack entered through a third-party vendor or found a way around your extensive security systems, you need to accept accountability for the failure and make that clear in communications. And yes, all of this can be done without accepting liability.
- Action: Be specific about what you are doing to address the breach and to assist those affected, such as providing enhanced security measures, free credit protection, 1-800 call centers, web-based services, etc. In other words, be seen in the act of leadership.
- Remediation: To close the loop and move on from any crisis, be clear about what you are doing to ensure the same situation never re-occurs, including creating improved security measures.
Crisis preparedness is a must in the digital world, and franchised businesses must take special care to ensure they are prepared. By taking steps to prepare in advance, provide protection to consumers and communicate as openly as honestly as is allowed, an organization can protect itself from damage that goes beyond the breach and inflicts damage on its most valuable asset, its consumer brand.
Michael Fox is the managing partner of ICR’s Corporate Communications Group. Find him at fransocial.franchise.org