What a difference a few years makes. Once ranked among the most-feared threats to corporate reputation, cyberattacks are now so ubiquitous that managers and the general public seemingly have become inured to any but the most egregious examples. In fact, according to a 2017 Ponemon Institute study, there was a 10 percent annual decrease in the average total cost of a data breach globally. Yet, even as costs decline, the probability of experiencing a material data breach has increased to 27.7 percent in the next two years for study respondents.

“… cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.” — Ginni Rometty, chairman, president, CEO , IBM, remarks from 2015 IBM Security Summit

An analysis of recent major data breaches (Panera Bread, Orbitz, Whole Foods, Sonic, Sears, Delta, Under Armour, Saks Fifth Avenue, Best Buy), reveals an emerging pattern for handling communications associated with cyberattacks. Together, these field-proven tactics comprise the Data Hack PR Playbook.

From a PR perspective, data breaches fall into three basic camps: One, financial events such as credit/debit card hacks with economic consequences requiring specific remediation actions, two, non-financial breaches involving passport, health and other information with less draconian fiscal outcomes, and three third party data attacks affecting client company customers.

The Data Hack PR Playbook

  • Get Ahead of the Issue
  • Apologize and Acknowledge
  • Present a Practical Solution
  • Notify Affected Parties Directly
  • Announce the Technical Fix
  • Offer an Incentive
  • Begin Brand Rehabilitation

Even though data hacks have become less devastating due to their frequency, they still require a managed response. Here’s the Data Hack PR Playbook in detail.

Get Ahead of the Issue

Under the time-proven theory that the best defense is a good offense, firms that handled a data breach successfully reacted quickly to the cyberattack, moved rapidly to minimize damage and communicated the facts with transparency. Sonic Drive-In did a great job of providing a straightforward, clear, concise statement about its data breach, explaining one, what happened, two, what data was involved in the hack three, what Sonic was doing about the situation, and four, what steps consumers could take to protect themselves including specific contact information for the FTC, state attorneys general and credit bureaus.

Apologize and Acknowledge

Apologies serve an almost ritualistic function in our society. They both diffuse and defuse anger over an event, mollify affected parties, and demonstrate respect for everyone involved. The public expects to hear an apology and needs to hear one as well. Even in the case of third party hacks, where a vendor’s actions or system weaknesses ultimately injured your customers, there is a social contract that was violated. Acknowledge that fact, apologize and move on to solutions.

Present a Practical Solution

Re-direct the conversation as quickly as possible away from the problem and toward the solution. The Data Hack Playbook suggests taking these three specific steps for the most serious of data hacks, those that affect financial and personal data integrity:

  • Provide free identity protection for a minimum of one year
  • Provide free credit card monitoring services for a minimum of one year
  • Guarantee zero liability for fraudulent charges (negotiate with financial institutions on behalf of customers)

These are baseline recommendations only, specifically designed to mitigate damages. Depending on the nature of the cyberattack and your business, there may be additional remediation activities that would go a long way to repairing the trust relationship. For example, a phone line staffed by financial counselors might be a welcome offer for consumers coping with financial disruption. The help line represents a value-add service that extends the conversation beyond a one-time interaction and guides the discussion into positive territory.

Notify Affected Parties Directly

While it is true that “like” media should be used to respond to a crisis [e.g. deploy Facebook first if that was the first reporting media], the notification process for a major cyberattack should incorporate every communications vehicle and channel in the company’s toolkit, covering every possible customer touchpoint, to ensure that affected parties are aware of the issue and corrective actions.

Again, depending on the scope and nature of the specific crisis, it may be necessary to incorporate advertising, direct mail, email, billing enclosures, telemarketing and even snail mail into the mix to blanket the target population.  As a courtesy and just good business practice, push information into the media biosphere rather than forcing customers to seek it out.

Announce the technical fix

Take advantage of the technical fix announcement as a mechanism to formally end the crisis. This release can alleviate the nagging question about what happened for customers, while reinforcing that an expert fix and preventive measures are now in place. Identifying the third party authorities involved in the solution validates the remedy and underscores the company’s commitment to making things right. Think of it as putting the period at the end of the sentence. Crisis over.

Offer an incentive

You’ve been building your “frequent flier” lists via rewards programs. Now is the time to put them to work. Reach out and offer loyal patrons a special discount with their club/membership/loyalty card, email a coupon, consider a special selection of popular items at friends and family pricing. The goal is to provide an incentive to re-engage, whether that’s coming into the store or renewing the relationship online.

Begin brand rehabilitation

It took years to build your brand. Now it’s time for brand therapy to rehabilitate the brand post-crisis. Reassert brand core values through public relations programming that reflects those values. Customers choose to work with a company in part because of the product or service provided and in part because of the company itself—its core purpose and brand values.

Like any therapeutic program, brand rehabilitation takes dedicated effort through time. But consistency and effort pay off over the long run. Sometimes, brand rehab even yields a stronger, more vibrant brand and customer relationship.

Laurel Kennedy is president of Blink OnDemand Crisis PR, a technology-based communications company offering the world’s first crisis PR planning and response software. A former executive at Edelman and Ketchum, the industry award-winning Kennedy holds the  MBA degree with honors from the University of Chicago Booth School of Business.
Outside Insights, Security, Story