First it was the dot.com boom, and now it's the data breach boom. The consequences of our increasingly computerized society are catching up with us as companies large and small seem to report data breaches daily. Sony Corp.'s recent data breach exposed over 100 million customer accounts. And another local known brand is fighting to save its reputation in the wake of a breach. The RSA Security division of EMC Corporation, a $17 billion company whose entire function is supposed to be to protect your online information, was hacked into. Yet even with these huge numbers to cite, and the investment being made in trying to avoid the occurrence of a breach, the lack of preparedness for the inevitable crises is stunning.
RSA sold 40 million SecurID devices that generate computer passwords. About 30,000 banks, corporations, and government agencies worldwide such as Wells Fargo and Lockheed Martin Corp use the SecurID system to prevent unauthorized access to their data. RSA has not yet identified what information was stolen by hackers and it seems clear that they were targeted at least in part to send a message. Competing security companies are using RSA's crisis to poach customers and solidify their own space in the market, escalating the reputation crisis into a viable business threat.
But the lesson here is not about stealing business; the lesson is that best way to solve a crisis is to avoid a crisis. These days, data breaches can't be avoided. They can only be prepared for.
As we have seen, data breaches do not normally affect people in just one community or state; they tend to be national, and as in these cases, international. Every company, no matter what the size, who can potentially be compromised by a breach needs to plan for its occurrence, because eventually, it will happen.
Businesses should have a crisis plan and team ready, consisting of legal, forensic investigators, customer response, and media teams. A data breach is a crisis that company leaders must react to swiftly, and aligning the team early is imperative in understanding the scope, forming the strategy, and most importantly, communicating to customers and community. Know who to talk to, what to report, when to report, and the means of communication. While much of it is dictated by federal law, there is some leeway to communicate key messages to your customers. Last Friday's Wall Street Journal article by Ben Worthen and Anton Troianovski gives a great overview about the ways in which companies are handling the data breach crises as they happen.
A veteran Boston lawyer once told me he always has a press release prepared, even if he doesn't use it. These days, this must also be true for all companies who could potentially be exposed to a data breach. But companies do not need just one press release, they need a detailed communications plan, with drafted and approved press release templates as supporting tactics within the larger strategy. Anticipate the crisis and have a plan at the ready to be immediately implemented.
RSA so far has proven to be quick to act. They notified customers, government agencies, and communicated with the press. Given how central data security is to their reputation, it remains to be seen what the long term impact will be for them. Sony, on the other hand, is another story. A letter to Sony CEO Jack Trenton from Connecticut Senator Richard Blumenthal was recently "leaked" to the media, further emphasizing Sony's delayed response. "Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised," wrote Sen. Blumenthal.
Sony's data breach is having the dreaded 'drip drip drip' effect of a prolonged crisis. Each week, additional news comes out about the breach, escalating the crisis and damaging Sony's reputation. In fact, just this week, Sony said additional user data in Europe was attacked but was not compromised. That has yet to be confirmed, but the number affected is 37,000 and counting.
As a crisis management firm, we have vast experience in litigation communications. We understand the importance of protecting the legal strategy, and we also understand how news coverage can jeopardize that strategy. Because of this protecting the brand and reputation of the client is a pivotal. Bad publicity surrounding a data breach threatens a company--negative coverage could undermine its reputation and erode its sales. Companies with large ambitions need to be aware of these risks, and have a plan in place for once the breach hits.
Leave a comment