A comms plan won’t prevent a data breach, but it can limit damage to corporate reputation and preserve customer trust.
It’s been little over two weeks since the introduction of the Notifiable Data Breaches (NDB) scheme of the Australian Privacy Act 1988. The new law requires all businesses to report any data breaches (perceived or confirmed) to authorities and the general public.
With the new laws targeting everyone from micro-businesses right through to the big end of town, the new laws will set the bar high for customer transparency, which is a good thing in an era where confidence and trust is a key driver of loyalty.
A study by the Ponemon Institute revealed data breaches are among the top three types of corporate incidents that affect brand reputation. For example, last year Uber was found to have concealed the theft of over 57 million users’ data worldwide; once exposed, the organisation faced over 10 new lawsuits in just a week, damaging its already tarnished reputation even further.
In the age of social media and a 24/7 news cycle, public scrutiny can have major implications to customer trust, loyalty and confidence.
Data from IMPACT’s client Unisys reveals data breaches are often attributed to an internal accident or mistake and negligent insiders, making it extremely hard to plan or predict when a breach might occur. Therefore, having a strategy in place to help communicate data breaches to the public will be the key to influencing a positive outcome.
Own the breach and the message: It’s important to own the data breach as soon as you’re aware of it. Start by identifying what data has been compromised and be real about what the implications are. Use this to form the basis of a statement that outlines what’s happened, what’s being done, and what steps are being taken to mitigate further losses. Bring together functions from across the business to get a company-wide picture of how the data breach will impact customers and operations.
Speed matters: Being on the front foot when it comes to disclosing details of the data breach is essential. At a minimum, businesses are legally required to report a description of the data breach, details about what information has been impacted, and what the organisations recommended steps to the individuals are. E.g. how to reduce the take to reduce the risk that they experience serious harm because of this data breach.
Ultimately, think about how your customers will feel if they find out that their names, email addresses and financial information have been compromised via the 6 o’clock news?
Choose your words and be available: Personal information is just that, personal. When sensitive information has been compromised, it’s not uncommon for people to have an emotional response.
It’s critical to make sure that customer service teams have been briefed on the situation, the messages and know how to manage customer questions. While any external communications materials should be focus on the actions taken and next steps, all responses should be genuine.
The sooner an organisation discloses their data breach, the greater the chance of positively influencing the outcome.