Mon, May 4, 2020

The Role of PR In Mitigating Reputational Risks from a Data Breach

A mature security program must be structured around a defensible strategy, and a clear communications plan that takes into consideration affected and interested parties is a major aspect of it. 

Brian Lapidus, practice leader of Identify Theft & Breach Notification practice at Kroll, joined crisis communications experts, Zach Olsen, President, and Kelsey Eidbo, client supervisor, from Infinite Global to outline key steps and must-have deliverables that help minimize reputational risk during an incident.  

Watch the Webinar Replay

Webcast and Videos

This 30-min webcast covers:

  • Considerations for developing a plan before an incident and why
  • Why a communications team should fully be part of your Incident Response Plan (and common missteps when organizations try to skirt it)
  • A detailed outline of key responsibilities
  • Some of the fundamental deliverables for breach response communications

Download Webcast Slides.

Notable Passages From the Presentation

Crisis Communication Plans 

Smaller organizations can be wiped out when these events happen and they're not prepared. Unfortunately we've seen many clients or heard of many companies who have had these events and didn't have the resources to deal with them and shut their doors, because they weren't able to handle the rigor both from just handling the event upfront as well as dealing with the repercussions on the back end. I think it's also important to note that not only is the institution impacted, but often the consumers or the customers of that organization are impacted as well. – Brian Lapidus

Now a thoughtful and thorough crisis communication plan allows the business to minimize this reputational damage, and also begin restoring customer trust from their first announcement through all of the touch points, through resolution of the incident. So an example would be, we've seen companies who come out and say, yes, we've had an event and we've impacted this amount of data. 48 hours later they're changing their story. That doesn't instill a lot of confidence in the market, and in the customers, because they're hearing bits and pieces of it. So one of the things that we like to do collectively with our clients and people that our organizations we're working with is to make sure they have a really good picture of what happened, understand the details in a way that allows them to be clear and concise in their comms and then make sure that it's in line with what the customer is used to hearing. – Brian Lapidus

The complexity with which responding to these incidents is, and one of the most often overlooked, the most important audiences is the internal one at a client, right? So one of the challenges with communicating about a breach is that we often don't have all of the information in the first days, in the first weeks of an investigation. So if you can buy yourself some time with the internal audiences, the folks that are working for your organization and might be talking about a breach before it's public, the more runway you have to be able to communicate externally in a way that's accurate and thoughtful later down the line. So it's important not to forget about those internal employee audiences as well because they can be either great supporters or great agitators when these events happen. – Zach Olsen

Data Breaches Can Cause Customer Churn 

So we've talked a bit about customer churn and there's no question that data breach has caused this type of churn for customers. I think this data is really interesting and I want to highlight it for a couple of reasons. The main reason being there is a real risk to an organization who doesn't handle these events well, and don't think about the customer impact. So if you look through this slide from general merchants, 33% of those consumers are changing providers after an event, for healthcare 30%, for financial institutions 24%. And I look at the healthcare one and that one has always sort of struggled. It's kind of blown me away quite frankly. – Brian Lapidus

Crisis Communications is part of a Defensible Security Strategy 

So much like chess, your strategy has to put you in a position to defend what's most important. And in this particular case, the most important information is that sensitive data that could be involved in a data breach. When it comes to security, this is the definition of a defensible strategy and a communication plan and how you're communicating during and after an event is a key pillar in that strategy. – Brian Lapidus

Pre-Breach Communications Planning 

So when we talk about optimizing the role of PR in a breach, it's really well before an incident that you can have the greatest impact on how a breach is received by the stakeholders in your organization cares about. – Zach Olsen

Part of the planning process is to make sure that you get to know them ahead of using them. So your first interaction between the PR firm and your marketing department, the PR firm and your GC (General Counsel), PR firm and your C suite is not in the midst of a crisis. – Kelsey Eidbo

So understanding why the PR firm is involved ahead of time will really help expedite the response. Ensure all incident response team members have your agency’s contact information within reach, so when the incident does happen, they know exactly who to call and when. And then also develop a crisis communications playbook that at the very least has the name and contact information of the full response teams, names and contact information for your PR agency and other vendors and the list of internal and external audiences that can just serve as a checklist as you’re going through your response time. Also, media policy should be included, so your full firm is well aware of when they should be responding to media inquiries which typically should not be. Kelsey Eidbo

A comprehensive playbook should also hold response steps, prerequisites for going public, potential vulnerabilities, holding statements, and some statement prompts so when a scenario arises, again you have that checklist you can go through and make sure you're really covering all your bases. Make sure to test the plans, everybody understands the roles and you'll see in that role that people probably aren't going to respond the same way they would actually during an incident. But you'll also see how people respond, and it'll help people practice once an incident occur, they understand when it's their turn to step in. – Kelsey Eidbo

Responding to a Breach: The Role of PR

The media cycle of the data breach, what are the news triggers? How do we get ready for them so we're not caught off guard. How do we communicate with critical audiences through a breach, which channels do we use? Who's our spokesperson? What kind of tone and style do we use when talking to our customers and how do we mirror that, now that we're mired in a crisis so that we don't make it worse on ourselves. When and how to leverage social media, what's the organization's social footprint and how do we leverage those channels to communicate with the audiences we care about in a way that is still in line with the goals of the legal team so that we're mitigating our risk of litigation. – Zach Olsen

…the role of a PR agency in this incident isn't to cover up a data breach or to spin it into something it isn't, but it's really to manage the process in a way that's going to minimize negative attention and reputational risk or restoring trust to your audiences. These strategies include using potential news triggers to anticipate the new cycles such as when the notifications are going to go out to determine how to react or not. Figuring out what an ideal outcome looks like and how to get there as well as what a worst case scenario looks like, and what to do if we end up there. We'll serve as an intermediary with the media when necessary to ensure we're keeping up with the requests, we're not missing the opportunity to tell our side of the story if appropriate, and we're preventing the spread of inaccurate information.– Kelsey Eidbo

So there are often differences between what different parties involved in the crisis want to be doing. The legal team probably wants to say little to nothing, but the client is familiar with the audiences and wants to keep them updated. So just having an external party to advise on the best way to do that can be very helpful in that situation. Pointing back to just consistency throughout the communications and that's what really can continue building trust when customers are getting the right information throughout. – Kelsey Eidbo

Breach Notification and Customized, Compliant Communications

The notification is the official party line, right? It is what the organization is committing to in terms of their story, right? So it's a really important piece of information that serves as the base if you will, of the narrative moving forward. – Brian Lapidus

…the minute you announce, class action lawyers start gathering, they are target audience the minute these events happen. So we tend to work with our clients after the fact as well to make sure, because we've been with them through the entire event. So we're able to say, hey, we know who called in, we know how many people activated services. And all of that data becomes really, really strong evidence against the class action. And many of our clients have been able to say, look, we did everything in our power because we communicated well and we provided the right services and we provided the right services to those impacted. – Brian Lapidus

 



Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Identity Theft and Breach Notification

Services include drafting communications, full-service mailing, alternate notifications.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.


CyberDetectER

Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.