What’s one of the top worries of C-suite executives these days? Whether or not their company can survive a database breach.
And for good reason. A recent global survey conducted by Gemalto found that “nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen.”
The survey covered Australia, Brazil, France, Germany, Japan, the United Kingdom, and the United States, factoring in the opinions of 5,750 consumers. Highlights describe the extent of the issue:
- 31% of respondents have already been affected by a data breach in the past.
- Only 25% of all respondents feel that companies take the protection and security of customer data very seriously.
- More than twice as many respondents feel that the responsibility of protecting and securing customer data falls on the company (69%) as opposed to the customer (31%).
- 23% of respondents who have been a victim of a data breach either have considered or would consider taking legal action against the breached company involved in exposing their personal information.
These findings indicate that consumers could potentially turn their backs on companies that do not protect their customer base, and may even take legal action. The results of the study might even lead some to jump to the conclusion that if a company is breached, its reputation and viability are doomed.
However, the evidence doesn’t follow this assumption. While many might imagine that a data breach and the ensuing media frenzy would trigger a reaction where customers, and then stakeholders, would jump ship, in fact, as journalist Doug Drinkwater on CSO observes, “…on closer inspection, it could be argued that this reputation argument is a falsehood.” A data breach may actually have little or no impact on a company’s long-term reputation.
Drinkwater expertly backs up his opinion with clear examples of share price comparisons. Five large brands–Adobe, Target, eBay, JP Morgan, and Home Depot–demonstrated a share price increase over a 12-month period despite significant data breaches.
Drinkwater does not deny that damage is done to a company after a data breach: “customer loyalty damage is done in the event of a breach, and…sales do take a nosedive.” But he simply argues that despite all the company costs related to a data breach, “additional security (pen testers, consultants, security vendors, PRs and lawyers), litigation and fines by data protection authorities,” the larger more entrenched companies “are confident they can ride on past the fines and fees, and keep hold of their customers.”
Finally, Drinkwater asserts that “It’s clear then that breaches do result in damaged trust, to a degree brand reputation, and bottom line. Target and JP Morgan pledged to spend an additional $100 million and $500 million on security post-breach, while Target also had to pay back card issuers, and lost $236 million in breach-related costs ($90 million of which was offset by insurance). The experts believe that this cost–and brand damage–can be significantly reduced if a breach is responded to properly.”
All indications show that Drinkwater’s observations are valid. Why? Larger companies that have been breached have the critical mass to absorb impacts to their reputations. They can ride out the storm, make amends to affected customers, activate policies, processes, and procedures to prevent and/or mitigate similar events in the future, and offer customers some form of identity theft protection for a period after the event.
The larger companies have the infrastructure, assets, and advisors necessary to react appropriately to a breach. They know that preparation and timely action are key. They put systems, policies and processes in place before a crisis to protect the company’s reputation and customer base.
Sadly, smaller companies pay a greater price. Either they are in their startup phase and do not have the financial capacity to pay experts for advice and mitigating solutions, and/or they have not invested in a proactive public relations campaign as one of the key strategic factors that could help them survive a data base breach.
Reputation protection options
Even though bigger companies have the resources to protect their reputations and weather a crisis, smaller companies do stand a better chance of recovering from a data breach with their reputations intact provided they take a number of steps:
Understand the risks. Smaller companies should understand the risks that they face on a daily basis. Many fail to conduct a risk and vulnerability audit to determine where they are at risk from a man-made, natural, or technology-based critical event that could decimate their business and income, or simply put them out of business.
Build a strategic PR campaign. A strong PR campaign built on the company’s business and marketing objectives is essential. Companies with an established brand and a proactive PR campaign with established relationships with key journalists stand a better chance of communicating effectively during a crisis, and the media will be more receptive to the company’s messaging because they are already familiar with the business.
Social media communications are a core component of a sound PR plan, both for communication and for monitoring. When a crisis happens, if strong media and social media monitoring protocols are already in place, the company will be able to efficiently track public and media sentiment and articulate its messaging accordingly.
Invest in a content marketing campaign. Focused, relevant, and consistent customer communications will result in customers being fully engaged with company messaging. Then, when a crisis hits, customer communication infrastructure is already set up, and all that is needed is the necessary honest and spin free messaging, insight and updates. Engaged customers are more likely to continue being receptive to truthful and regular communications, and to potentially support a business during a crisis.
Without a customer communications strategy and infrastructure, it could take anywhere between a couple of hours or a few days to get the message out because content and a database will need to be created first. This is crisis communication lag time that a company may not have. A slow or poorly thought out response will reveal to the public that the company is reactive, not proactive. In the early days of a crisis, inadequate response can lead to losing the battle of the rumor mill, losing control of messaging, and above all, losing trust. It doesn’t take long for a company to be mortally wounded from a brand trust perspective.
Develop updated business continuity, incident response and disaster recovery plans. This critical component to staying afloat during hard times is strongly recommended in the Poneman Institute’s 2015 Cost of Data Breach Study for the United States, with benchmark data sponsored by IBM. Key players need to know how to respond to an emergency, what IT assets exist, how they should be used, if an invocation should be ordered, how and when a database should be rebuilt, who will be involved in response and recovery, etc.
Invest in a crisis communications plan. An effective crisis communications plan will work in tandem with the PR campaign and the business continuity plan. While it is impossible to have a crisis plan that encompasses every potential crisis scenario, a company should have a master crisis communications plan that is both easy to implement and flexible enough to incorporate change as events unfold.
The recent wave of hacking is indeed alarming. In the New York Post, Bill Hardekopf, Chief Executive of LowCards.com, observes that “…people are getting freaked out by all the data breaches.” He adds, however, that retailers who have experienced breaches are probably more secure, more aware, and working harder today because of their experience.
Companies are rolling with the punches, and learning from their mistakes. They are learning that a relatively small investment in PR consulting ahead of time could pay off significantly in curtailing future losses, or even the loss of the business. As Warren Buffett reminds us, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
In the current climate, it is no longer a matter of if a data breach will strike, but when. All companies should anticipate being hacked. What they do once the hack has occurred could save time, money, frustration, and their hard-won reputation. The bigger the company, the more resilient they may be when weathering a bad reputation storm. Smaller businesses are at greater risk: they must be ready and able to respond proactively and communicate as openly and rapidly as possible to preserve their customer base.
Based in Syracuse, N.Y., Fortress Strategic Communications provides specialized strategic public relations and crisis communications consulting to companies that offer products, services, and solutions designed to manage and mitigate all types of risk. The company is able to draw on a combined 20 years of global experience from its executives in a wide array of vertical markets. For more information please visit: www.fortresscomms.com