Archive

Crisis communications

A series of vague and apparently contradictory statements have marked Cathay Pacific’s public response to its recent data breach – the world’s largest airline data privacy incident.

While the extent of the damage to the company and its reputation remains unclear, the breach has been described by Cathay’s Chairman as ‘one of the most serious’ the airline has faced, and that its response would be ‘different’ tomorrow.

What can be learned from the airline’s fumbled response?

First, the backstory: late one evening Cathay acknowledges a ‘data security event’ affecting 9.4 million customers that it claims to have acted to contain ‘immediately’. A torrent of negative coverage and plenty of speculation about the state of the firm’s IT security quickly ensues. Journalists and customers complain that Cathay is not responding to phone calls or emails.

The following morning Cathay admits that it had been aware of suspicious behaviour on its network for a three month period starting March, prompting an avalanche of questions from worried customers and bemused regulators and politicians about why it had taken so long to inform its customers. CEO Rupert Hogg takes to the media and video to defend his firm.

Three weeks later, Cathay submits a statement (pdf) to Hong Kong lawmakers confirming the attack had intensified over a three month period and that it had known in August that passenger data had been accessed and/or stolen. Cue a third wave of hostile coverage, this time questioning the company’s honesty and transparency. Lawmakers accuse the company of orchestrating a cover-up.

(Business Traveller has a useful timeline of the incident).

Making inaccurate or inconsistent statements during a data privacy incident is easily done when facts are thin on the ground and the media is breathing down one’s neck.

Top data breach communications pitfalls

Based on my experience, here are the top five communications mistakes organisations make when responding to a data breach – the first and most damaging of which is zero communication:

  1. Concealing a breach. Until recently, most data breaches were not made public. GDPR and other data privacy laws now mean organisations must notify those impacted and the relevant authorities about a breach. Yet some will try to bury it from public view. As Uber and Yahoo! can testify, a cover-up is seen as worse than the breach itself. Substantial fines may appear a good deterrent to concealment, but research shows the longer-term reputational damage can be more significant.
  2. Confirming a breach too slowly. Cathay Pacific took three months to delay formal notification in order to contain the attacks and to determine what data had been lost and who has been affected. But organisations in many jurisdictions are now obliged to notify regulators quickly, and customers now expect to be informed quickly, and view organisations that are seen to move too slowly as unprofessional, clueless, or with something to hide.
  3. Providing inaccurate facts or data. Cathay Pacific may have waited until it was sure of the facts and numbers, yet many organisations now quickly go public about a breach to meet their regulatory obligations, or under pressure from a third party, and then have to revise their statements as the facts become clear (eg. Dixons Carphone revising upwards the number of records involved in its 2017 data breach from 1.2 million to 10 million). This creates additional negative news cycles, and creates a perception of amateurism at best and willful obfuscation at worst.
  4. Downplaying a breach. It is tempting to claim that the sensitivity and scope of the data and systems involved in a breach are limited, or that the impact on the company and those affected is minimal. But such statements can easily come undone as the full extent of the intrusion comes to light, leaving you looking irresponsible or worse.
  5. Providing inadequate media support. Cathay chose to push out its bad news late in the evening and send its teams home. But little irritates journalists more than an unmanned or unresponsive management or communications team, and senior executives unable or unwilling to provide a human face to something that has already been confirmed publicly by the company.

Every organisation is advised to avoid these pitfalls wherever possible.

Cathay’s CEO may have promised the airline would respond differently to future breaches, but he did not elaborate how.

Notifying regulators and customers more quickly is an obvious starting point. Careful thought must also be given to the openness, transparency, tone, consistency and ownership of one’s statements, amongst other factors.

My next post will set out data breach communications best practices.

Pointing the finger at others during an incident or crisis is a tempting proposition. It diverts attention, helps the company avoid responsibility, and means it doesn’t have to address the underlying problem.

At least, that’s the idea.

Playing the blame game can be appropriate when your company is clearly not guilty. However, in most other instances it convinces almost nobody, leaves a sour taste in the mouth, and encourages regulators to come down extra hard.

Some of the more notorious examples include BP CEO Tony Hayward blaming oil rig owner Transocean for the Deepwater Horizon disaster, and Costa Concordia CEO Pier Luigi Foschi fingering lower-level employees for the collision of his eponymous ship off the Italian coast.

More recently, United Airlines CEO blamed ‘disruptive and belligerent’ customer David Dao for the violent melee initiated by security personnel aboard flight 3411.

Now we are seeing a rash of finger-pointing at vendors during data breaches.

In some ways, this is the nature of the data privacy beast.

The inter-connected nature of IT systems and the widespread sharing of data means companies are now more exposed than ever to data breaches, leaks and losses due to poor security or inappropriate employee behaviour at their suppliers, partners or others.

And then GDPR forces data privacy incidents into the public arena, and increases the likelihood of media slanging matches.

Over the past few days, a breach at B2B survey company Typeform resulted in the loss of data of 20,000 or so customers of multiple organisations, including the LibDems, Travelodge, Fortnum & Mason, and digital bank Monzo. The breach led to Monzo publicly terminating its relationship with the survey firm until it sorts out its security.

And we have seen Ticketmaster blame customer support vendor Inbenta for a breach of up to 40,000 of its customers’ data (see below), to which Inbenta fired back that the source of the breach lay was a piece of JavaScript code that had been incorrectly implemented by the ticketing company.

Ticketmaster on the Inbenta data breach

Whichever firm was at fault for the Ticketmaster incident (something we will have a clearer view of when the ICO completes its investigation), it is hardly reassuring for customers of either party.

That said, things look bleak for Ticketmaster after Monzo revealed it had warned Ticketmaster of a possible breach weeks ago, publishing a compelling graphic to make its case.

Monzo on Ticketmaster data breach timeline

Here are 5 tips for handling third-party data breach incidents involving suppliers or partners from a communications perspective:
  1. Acknowledge the issue quickly, and take responsibility. While technically, and legally, the fault for the breach may ultimately lie with your vendor or partner, your customers care little about how your business back-end works and want ownership of the problem and its speedy resolution. They expect this from you as your customer. Ticketmaster might usefully have considered how airlines manage lost baggage: direct with the customer, with the airport manager in the background, rather than vice-versa, even if the airport is at fault.
  2. Take the moral high ground. Being honest, open, concerned and helpful from the get-go will go a long way towards defusing a tricky situation, and will mean your customers, suppliers and partners have less reason to carp about the state of your security or the nature of your communications. Ticketmaster got off on the wrong foot by apparently unfairly fingering Inbenta, and trying to appear as the hero of the hour, while failing to mention that it had been warned months previously about a possible breach.
  3. Resist directly naming your supplier/partner. Following on from the previous point, you may find it tempting to point the finger at a partner or supplier – an apparently reasonable thing to do when it appears to be at fault. But the facts may not quite turn out as you expect, and you risk being seen as appearing high-handed or vindictive, especially if it is a smaller entity. Instead, resist naming the guilty party until the facts are clear, and then be careful do so in a manner and tone appropriate to the misdemeanour.
  4. Reinforce your position when tempers have cooled. Public slanging matches are always ugly and do few organisations any good. Nonetheless, that’s not to say you may still need to pursue your interests aggressively, it’s just that this is usually best done once the initial drama of an incident dies down. At this point, you can publish the investigatory report you may have commissioned, and await any regulatory statement, or prosecution. If necessary, contest in court.
  5. Understand your reputational ecosystem. On the surface, online surveys and ticket sales have been – and remain – fairly mundane and transactional industries. But business ecosystems are changing fast, and transparency has become a strategic battleground. Banks – often the real losers when it comes to data breaches (Monzo’s CEO went on the record to say that the Ticketmaster breach led to ‘quite a big financial loss’ for the bank) – are generally happy to sit in the shadows while an incident plays out in the media. But Monzo prides itself on its transparency, and is prepared to use it defensively as well as strategically. Understanding the reputational nuances of your business ecosystem, including your suppliers’ and partners’ pain thresholds, will help you make the right decisions when things get choppy.

 

There has been much talk in the PR/communications industry about GDPR, mostly concerning marketing and media relations from a compliance perspective. There has also been considerable discussion in the legal and cybersecurity worlds about what GDPR means for data breach reporting.

By contrast, there has been relatively little guidance on how communicators should prepare to handle data breaches under the EU’s tough new regulatory regime. Given the volume of high-profile breaches, widespread anxiety about privacy, and low levels of trust in companies, it is essential that companies get their communications response right.

GDPR notification and communications grey areas

The GDPR ups the ante significantly. Article 29 requires the mandatory notification to customers (in addition to regulators) of a data breach, data loss, or data leak within 72 hours if it is seen to pose a ‘high risk’ to the rights and freedoms of individuals in terms of identity theft or fraud, financial loss, damage to reputation, discrimination, or emotional distress.

Despite clarification from the EU Article 29 working party in the form of Guidelines of Personal Data Breach Notification (pdf), some operational, legal – and reputational – grey areas exist, notably concerning:

  • Timing – what constitutes a ‘reasonable’ degree of certainty that a breach has occurred
  • Level of risk – how to define that a risk to individuals’ rights and freedoms is ‘high’
  • Loss of availability – whether a breach is temporary, or permanent.

These grey areas, outlined in more detail in the slides below, may cause companies to delay or even avoid the disclosure of a known breach.

 

How PRs should prepare for GDPR

Here are five steps for PR/communications teams to prepare for the likelihood of having to respond to a data breach under GDPR:

  1. Understand GDPR and notification requirements, grey areas and best practices
  2. Educate leadership, legal, IT, security and other stakeholders about customer and stakeholder privacy needs and expectations; cyber/data breach reputation trends, risks and impact; and the role of communications in data breach preparation and response
  3. Ensure PR/communications is represented on relevant cybersecurity committees and teams
  4. Develop/update your corporate data breach response and crisis communications plans by assessing and prioritising different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted; and developing communications plans for different types of breach
  5. Test and update these plans regularly – specifically data breach protocols and processes; messaging and content; your digital/social media dialogue and feedback capabilities; and leadership decision-making and team dynamics.

UK Infomation Commissioner Elizabeth Denham says the ICO will be proportionate in how the ICO levies sanctions and fines. Nobody wants a fine, yet the long-term reputational impact can be far more onerous.

Are you ready for a data breach? Test your reputational defences with Charlie Pownall’s Data Breach Preparedness and Response advisory and training services.

%d bloggers like this: