Data Breach Crisis Communication: How to Avoid Losing Customer Trust

A great crisis communication plan won't prevent a data breach, but it can help you come out the other side stronger.

In 2016 alone, nearly 29 million records have been compromised as a result of data breaches according to the Identity Theft Resource Center. While the data breaches responsible for these compromised records are typically discussed at length from a technological standpoint, there has been significantly less attention given to handling them from a communications angle. Before you shrug this off thinking who has time for PR when you’ve been hacked?… consider the following:

Did you know? 33% of customers reported actually gaining trust in an organization after being alerted by the company about a breach, according to Deloitte’s 2016 Privacy Index.

Effective planning and execution of a data breach crisis communication strategy will not only prevent your executive team from going gray(er), handled the right way it can even increase customer trust.

Wondering how you can you pull off the impossible and turn data breach lemons into lemonade? It’s not magic. The first step is admitting you might have a problem and preparing for it. Here are some techniques to ensure your crisis communication strategy is ready in the unfortunate event of a data breach.

When to Start Planning Your Crisis Communications Strategy (Hint: Day-of-Breach is Too Late)

Despite the prevalence of breaches, there often remains a “let’s cross our fingers and hope for the best” mentality when it comes to creating a crisis communication strategy. It is only when the breach actually happens that people start to (frantically) pull together a plan.

Pro tip: Develop your crisis communication plan when you have time to think clearly and put forward your best, most thoughtful work.

In other words, when you're anticipating a crisis, not reacting to one. 

By putting together a plug-and-play plan ahead of time (that can be later customized to meet the needs of the specific crisis that unfolds) it will allow your team to act significantly faster during a time of crisis.

Speed is key to crisis communication success. Every hour you are not telling the story, someone else might be. Planning ahead will dramatically increase your time between crisis and action.

Questions to Ask to Ensure You're Ready to Respond to a Data Breach

When putting together your company’s unique crisis communication breach strategy, here are a few questions to ask yourself:

• What are all the different types of breach crises we can imagine happening to our company? You will want to have a unique strategy planned out for each type of crisis you identify. The more work you put into identifying types of crises ahead of time the better prepared you will be when a crisis hits. Get dark and cynical people.
• For each type of crisis, who will be the public spokesperson? What if that person is not available? Who will the backup spokesperson be? Streamlining communication is extremely important during a crisis. Too many “faces of the crisis” can lead to confusion and generate more problems than you started with.
• Are our spokespeople all media trained? If not, now would be a great time to get that training in. Ain’t nobody got time for training once s%*#.. make that malware hits the fan.
• What different internal and external departments will need to work together to resolve each crisis outlined? Who is on point for each of these departments. Clear communication between departments is critical for crisis communication execution and breach management.
• What are our messages and prepared quotes for each type of crisis? While you don’t know the specifics of the crisis the core messaging will remain fairly similar. Thinking through this messaging ahead of time will save you significant stress when the breach happens.
• Who is impacted by each type of crisis? In other words, who do we need to communicate with? This will allow you to think through messaging and proactive and reactive communication strategies accordingly.
• What is our ideal timeline for all communication activities? If there are no deadlines there is zero chance you will move as quickly as is necessary once the breach happens.

Lessons from a Data Breach that Impacted 79 Million Customers

To get a better idea of how all this plays out, let’s take a look at a company who had to put an effective crisis communication strategy into action — Anthem.

In 2015, Anthem — the second-largest U.S. healthcare insurance provider — was the the victim of a data breach. Using a stolen password, hackers broke into Anthem’s database which contained the personal information of 78.8 million current and former members and employees, making this the largest breach to impact the healthcare industry to date.

So, how did Anthem handle this massive crisis communication challenge? With help from the Ketchum PR agency, Anthem knew that time and transparency were the two keys to surviving the crisis and maintaining trust with customers. Anthem’s VP of PR, Kristin Binns was quoted as saying “customers expect organizations to communicate about breaches as soon as possible and transparently.”

In addition to executing a notification plan within one week of breach, Anthem also launched a microsite that could be accessed from the company's homepage. The microsite included an FAQ and letter from CEO, Joseph Swedish, which was also shared via social channels and emailed to customers who opted to receive information from the company.

1/ Anthem was the victim of a cyber attack. No evidence medical or credit card information was compromised. More at http://t.co/ilKRmawhM6

— Anthem, Inc. (@AnthemInc) February 5, 2015

Lastly, customers impacted by the breach were offered free credit monitoring services for two years and a $1 million identity theft insurance policy from AllClear ID.

Note: Let’s not confuse an effective crisis communication strategy for a magic wand. Anthem’s communications team could not simply execute and hope the breach went away. However, their effective strategy ensured customers were able to get the answers they needed, showed Anthem was now in control of the situation, and avoided pouring gasoline on a volatile situation. Had their crisis communication strategy not been in place, the entire situation may have ended much worse.

Major takeaways: Speed matters, transparency is critical, and owning the breach is important.

Over a year later, the FBI is still investigating the attack and to-date there has been no evidence that Anthem member’s data has been sold, shared, or used fraudulently, according to an Anthem spokeswoman. While there have certainly been significant insurance and legal consequences of the breach, there has been no impact on membership or profits according to quarterly earnings calls.

Lessons from a Data Breach Handled Poorly

It is so easy to play “Monday morning quarterback” and swear you would never handle a situation the way company X did. In reality, when a crisis hits, sometimes our better judgement goes out the door and we begin to think reactively vs. strategically. This is why the pre-planning stage is so critical. Instead of pointing fingers at those who have struggled to handle breach crisis communication seamlessly, let’s collectively learn something from it. 

Target’s infamous 2013 data breach provides us with an a great learning opportunity. When 40 million customer payment cards were compromised, Target made the decision to not make the breach public until they were later exposed by Brian Kreb’s popular security blog Krebs on Security.

To make matters worse, once customers became aware of the breach they frantically attempted to reach customer service only to find that the lines were jammed. Target’s crisis communicate strategy (or lack of strategy) clearly violates our three keys to success: owning the breach and reacting with speed and transparency with customers. We all know how that breach story ended… the CIO and CEO resigned and hundreds of millions of dollars were lost.

Had Target quickly informed customers about the breach and been transparent about what they knew and how they were addressing the problem things very likely would have ended differently.

Next Steps: Get Planning

If you take one thing away from this post, let it be this: Now is the perfect time to start thinking through your breach crisis communication strategy, not when a breach actually impacts your business.