Communicating a Data Breach: Choose Your Words Carefully

March 17, 2017

By: Leslie Walsh

Cyber connectivity has enabled companies to understand and interact with consumers in a far more sophisticated way than ever before. At the same time, hackers are increasingly upping the ante with schemes and full-blown attacks that are becoming impossible to ignore. And by all accounts, this ride is only picking up speed. Tune in to the first two-minutes of the March 13th The Daily podcast from the New York Times if the optimist in you is being stubborn (or naïve).

In 2016 alone, half of Canadian C-suite executives and nearly a quarter of entrepreneurs say their companies experienced a cyber breach.

Vulnerabilities in a company’s cybersecurity can arise for any number of reasons, from careless or unaware employees, to outdated IT systems. In a recent interview with The Wall Street Journal, John Hering of Lookout Inc., a mobile security firm, said vulnerabilities are inevitable; the difference between being secure and insecure is how quickly you respond.

But what does this mean for a business’ reputation? How companies communicate with their key stakeholders during a breach goes a long way in determining the impact a data incident will have on consumer confidence. For communications professionals, this means extensive planning before your company is targeted by hackers to ensure that the right cadence and content of information is communicated to the right audiences at the appropriate time.

When planning for a cyber crisis, communications experts must recognize that we can’t tackle the work in a silo and that the best approach involves working alongside our counterparts from legal and insurance.

I sat down with Imran Ahmad, a Toronto-based lawyer with the law firm Miller Thomson LLP and who specializes in cybersecurity, to gain his insights on communications around a data breach.

“The number one thing companies must communicate during a breach is that the matter is well in hand and illustrate that there are clear next steps,” says Ahmad. “The message cannot be, ‘We’ve been breached, and we’ll get back to you.’ You must demonstrate that you’re in control of the situation, you’re working with regulators and law enforcement, and you have your clients’ best interests in mind.”

Ahmad cites the 2014 Home Depot credit card payment system hack as an exceptional example of how to communicate during a cybersecurity crisis. Following the breach, Home Depot notified the relevant privacy commissioners across Canada, issued press releases and directly contacted 500,000 potentially affected customers. The company apologized for the breach, confirmed actions were taken to eradicate the problem, informed impacted parties that they would not have to pay for any of the fraudulent charges and even offered free credit monitoring.

While a class action lawsuit was approved, punitive damages were not awarded in full, partially because of Home Depot’s handling of the situation. As Justice Perell explained as part of his decision:

The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behaviour modification. Home Depot’s voluntarily-offered package of benefits to its customers is superior to the package of benefits achieved in the class actions.

The Home Depot example, however, is the exception to the rule, says Ahmad. In trying to demonstrate to customers that they are being proactive and are taking ownership of a breach, companies can inadvertently put themselves in a more tenuous legal position if they don’t spend the time upfront to map out likely outcomes associated with a given communication strategy.

“The biggest mistake companies can make during a data breach, from a legal standpoint, is taking full culpability for the lapse in security,” says Ahmad. “It’s important to strike a balance between assuaging the fears and anger of clients, while also being mindful of potential legal liability implications.”

Ahmad encourages communicators, where appropriate, to use conditional language during a crisis, such as, ‘We regret this breach occurred and are taking the necessary steps to ensure that those affected by the breach are not harmed further.’ Conditional language will allow companies to protect their reputations by expressing empathy, proactively communicating to stakeholders and minimizing the potential damage associated with data theft, while also mitigating their potential liability.

Often, the biggest roadblock to communicating effectively during a breach is fear of the unknown, says Ahmad. Companies worry about how a breach will be perceived and the potential legal implications of engaging with stakeholders. But with new federal regulations coming into force later this year, requiring businesses to report data breaches or face fines up to $100,000, they must start to overcome this fear.

“The new legal obligation to report breaches and potential penalties for not doing so is a step in the right direction to protect clients and will force companies to engage with their stakeholders,” says Ahmad.

“Those organizations that are prepared for crisis situations and have developed messaging catered to their various stakeholders, whether they are consumers, suppliers, employees, vendors, or shareholders, will be better positioned to mitigate damage from both a legal and reputational standpoint.”

Leslie Walsh is senior vice president of FleishmanHillard’s Reputation Practice in Toronto. You can reach her at leslie.walsh@fleishman.ca.