One year on and GDPR is, variously, the gold standard for data privacy legislation, a monstrous example of bureaucratic red tape, or a busted flush leading to greater big tech dominance, few meaningful fines, some basic checkbox ticking and a blizzard of irritating pop-up statements.
What does the GDPR mean for business leaders, communicators, risk managers, lawyers and others preparing for tougher data privacy laws across Asia and responding to data breaches in the EU?
Here are some important principles to bear in mind:
Take swift, decisive
action to address the problem
Companies have no option other than to move fast under GDPR. There are only 72 hours to establish what has happened, assess the likely damage, notify the regulator(s) and communicate with those impacted can seem like precious little time, especially when the facts remain unclear.
Notification and communication can appear especially daunting when the hole remains open and the facts are unclear. Yet, the quicker a company moves to fix the hole and the more decisively it does it, the more likely it will be able to limit the actual and potential damage and rebuild confidence.
Err on the side of caution, but do not panic
It is easy to feel like you are being press-ganged into publicly disclosing a data breach. In fact, not all breaches need to be reported to the regulator, and some don’t need to be reported within 72 hours.
Some breaches do not pose a high risk to those impacted, while others may be considered temporary. In some cases, the data involved is unintelligible and/or already in the public domain, in others, the effort involved in notifying the regulator may be considered disproportionate to the actual or likely damage.
In such instances, a company may choose to inform the customer of an incident without notifying the regulator or making a public statement—provided it is confident it is on a safe footing legally.
However, generally, it is best to err on the side of caution and report a breach to the regulator. If one is unclear, information regulators will generally advise whether it needs to be reported. They may also provide guidance on whether it should be communicated with those impacted.
That said, there may be some instances in which
you feel it is more important to communicate immediately with those impacted,
before notifying the regulator. For example, where the data involved is
extremely sensitive, or where a supplier processing data for a business
customer is breached.
There are also good reasons to be wary of going
straight to the data subject. Customer and stakeholder expectations vary widely
on data privacy and, in the wake of an incident, their behaviours can conflict.
And news of a breach typically becomes public as soon as it has been
communicated with those impacted.
Whichever route you choose, it is usually best
to err on the side of caution. There’s no need to panic.
Be open and honest
EU information regulators have said they will take seriously anything that puts these twin principles into jeopardy and that they are willing to expand investigations beyond assessing IT/cybersecurity governance and controls to testing compliance in areas like technical competence and education and training.
The same goes for customers in Asia, who increasingly expect organisations to be honest about their shortcomings and to move quickly when something goes wrong.
Consider carefully how those impacted might be affected
Understandably, company leaders and executives fret primarily about the sensitivity and volume of data involved in a breach and what it means for the well-being of their employer. But it is just as important to pay close attention to those impacted and to the context in which the incident has occurred.
In August 2018, British Airways suffered a major breach involving the personal and financial details of over 500,000 customers. Despite no evidence of fraudulent financial activity at the time, British Airways quickly appreciated that the potential for lasting reputational damage was significant, given the large number of payment card and CVV numbers involved.
Hence the airline’s decision when it acknowledged the breach to offer compensation to customers for any financial hardship suffered—a promise that may result in significant payouts and higher insurance premiums going forward. The decision almost certainly also took into account the overwhelmingly negative reaction to the airline’s 2017 IT systems outage.
Consider carefully the needs and expectations of those impacted, the degree of external and internal scrutiny the incident attracts, your firm’s historic reputation, perceived culpability and other factors when you respond to a breach. nsider carefully the needs and expectations of those impacted, the degree of external (and internal) scrutiny the incident attracts, your firm’s historic reputation, perceived culpability and other factors when you respond to a breach.
Don’t walk away
From a communications perspective, it is
tempting to treat a breach as a one-off negative event to be resolved with
a little timely public grovelling.
This is a mistake.
Nowadays, people take naturally to social media to vent their experiences and concerns, which can easily spiral into secondary news stories. Leaks are common, and breaches easily bleed into other business issues, thereby aggravating the situation and elongating the news cycle.
Worse, GDPR means regulatory investigations, fines and litigation are more likely, resulting in additional negative publicity. In the process, you may also come under greater pressure to publish internal and expert investigative reports.
It is important to understand that a breach is
often just the start of the reputational battle, and that you must stay – and be seen to stay – the distance
in all facets of your response if you are to have any real chance of
Align your response
The messiness and complexity of data breaches and the need for different business units to be involved in the response can result in sloppy, inadequate, or inconsistent communications.
Given the expanded legal obligations under GDPR, the likelihood of the emergence of equivalent regimes across Asia and heightened public awareness of data privacy rights, it is particularly important that companies’ legal and communications responses are properly aligned.
Legal and communications teams can sometimes be at loggerheads, so this is not necessarily as straightforward as it sounds. It need not be difficult. Unlike in a court of law, in the court of public opinion, a business is presumed guilty until it proves its innocence.
This doesn’t just mean one should be as open and honest as possible and that one’s rhetoric always meets reality. It means that a company must look at the wider picture, avoid inappropriate legal threats, actions, and lawyerly sounding statements, and apologize sincerely when it is at fault.
By following these principles, you will be less likely to botch your business and communications response to a data privacy incident.
More important, you will be in a much better position you to persuade your customers and others that you are acting in their best interests.
Since the start of the yeara rumour has been swirling that Facebook has been using a then-and-now facial recognition photo-sharing challenge to collect data about users and improve its AI algorithms. The social network denies it started or is involved with the challenge.
That people suspect Facebook of being involved, and that the rumour went viral, is indicative of the suspicion with which the company is held since its flaccid approach to privacy became widespread public knowledge.
Multiple data privacy violations
These suspicions are not new. There was the row over Facebook’s Beacon user-tracking service in 2007, concerns about facial recognition, a bungled psychological experiment into the moods of its users, and run-ins with the US FTU, ACLU and privacy commissioners in multiple jursidictions over many years.
According to Google, there has been considerable public interest in privacy (mostly as a proxy for internet and/or data privacy) for many years.
Facebook had plenty of time to tackle the problem and prepare a meaningful response. The Guardian’sinitial story in December 2015 about the covert harvesting of user data by Cambridge Analytica did not ignite until whistle-blower Christopher Wylie lifted the lid on Cambridge Analytica twenty-six months later.
Yet they did little to address the core of the privacy issue, Mark Zuckerberg disappeared as soon as the story ran, and Facebook’s value dropped USD 119 billion in a single day. Zuckerberg hardly helped matters by refusing to appear before the UK DCMS Enquiry into Disinformation and ‘Fake News’.
How did Facebook fail to anticipate a major privacy crisis when the writing had been on the wall for so long? Were its leaders truly ignorant and out of touch, or simply failed to act substantively on the many warning signs? Why did they behave the way they did? Was Facebook’s experience isolated, or consistent with other reputational meltdowns?
Reputation risk management
These are the kinds of questions posed by lawyer Anthony Fitzsimmons and insurance expert Derek Atkins in their book Rethinking Reputational Risk, in which they get to practical grips with the notoriously knotty, slippery topic of reputation risk management.
Drawing on analysis of recent high profile crises such as BP’s Deepwater Horizon spill, Barclays’ LIBOR rigging, Tesco’s false accounting, and the VW diesel emissions scandal, the authors argue that the problem lies in the complexity of many modern businesses, the emergence of multiple online ‘unseen systems’, fast-changing stakeholder behaviours, inadequate listening, issues management and crisis preparedness, and an unwillingness to get to the root problem of problems and failures, chiefly due to over-confidence, complacency and hubris.
All this sounds familiar. But the book comes into its own when it addresses the failure of ‘classical’ risk management and the three/four line of defence model, which is regarded as overly rigid and ill-suited to handling the many and varied behavioural risks, from weak culture and values and inappropriate incentive schemes, to the blurring of personal and professional lives and the character and personality traits of senior leaders.
The authors rightly argue that reputation risk is first and foremost a leadership responsibility, and too often it is at Board level that things fall down. Board failures were involved in 50% of the 42 crises studied.
Because Boards are essentially self-selecting, and overly reliant on people with financial and operational experience, as opposed to the forensic, analytical, behavioural and digital skills that are required in today’s globalised, networked and inherently volatile economies. There is much in this.
Since concerns about Facebook’s approach to privacy first started emerging several years before its murky dealings with Cambridge Analytica came to light, Mark Zuckerberg and Sheryl Sandberg have admitted that they should have taken user privacy far more seriously.
The important question on why they didn’t heed the warning signals earlier appears to have a single plausible answer: user privacy was regarded as a price worth paying for growth, and they would make the most of it while the sun shone and regulators, politicians, customers and the general public had more important fish to fry.
Mark Zuckerberg may insist he is personally responsible for Facebook’s privacy lapses, but Facebook’s board is also responsible and must prove itself equal to the task of fixing the holes properly, and holding its CEO to account. Its members would do well to read Fitzsimmons and Atkins’ excellent book.
Meantime, Facebook must shoulder part of the blame for the many rumours about it – be they accurate, misinformed, or plain false.
A series of vague and apparently contradictory statements have marked Cathay Pacific’s public response to its recent data breach – the world’s largest airline data privacy incident.
While the extent of the damage to the company and its reputation remains unclear, the breach has been described by Cathay’s Chairman as ‘one of the most serious’ the airline has faced, and that its response would be ‘different’ tomorrow.
What can be learned from the airline’s fumbled response?
First, the backstory: late one evening Cathay acknowledges a ‘data security event’ affecting 9.4 million customers that it claims to have acted to contain ‘immediately’. A torrent of negative coverage and plenty of speculation about the state of the firm’s IT security quickly ensues. Journalists and customers complain that Cathay is not responding to phone calls or emails.
The following morning Cathay admits that it had been aware of suspicious behaviour on its network for a three month period starting March, prompting an avalanche of questions from worried customers and bemused regulators and politicians about why it had taken so long to inform its customers. CEO Rupert Hogg takes to the media and video to defend his firm.
Three weeks later, Cathay submits a statement (pdf) to Hong Kong lawmakers confirming the attack had intensified over a three month period and that it had known in August that passenger data had been accessed and/or stolen. Cue a third wave of hostile coverage, this time questioning the company’s honesty and transparency. Lawmakers accuse the company of orchestrating a cover-up.
Making inaccurate or inconsistent statements during a data privacy incident is easily done when facts are thin on the ground and the media is breathing down one’s neck.
Top data breach communications pitfalls
Based on my experience, here are the top five communications mistakes organisations make when responding to a data breach – the first and most damaging of which is zero communication:
Concealing a breach. Until recently, most data breaches were not made public. GDPR and other data privacy laws now mean organisations must notify those impacted and the relevant authorities about a breach. Yet some will try to bury it from public view. As Uber and Yahoo! cantestify, a cover-up is seen as worse than the breach itself. Substantial fines may appear a good deterrent to concealment, but research shows the longer-term reputational damage can be more significant.
Confirming a breach too slowly. Cathay Pacific took three months to delay formal notification in order to contain the attacks and to determine what data had been lost and who has been affected. But organisations in many jurisdictions are now obliged to notify regulators quickly, and customers now expect to be informed quickly, and view organisations that are seen to move too slowly as unprofessional, clueless, or with something to hide.
Providing inaccurate facts or data. Cathay Pacific may have waited until it was sure of the facts and numbers, yet many organisations now quickly go public about a breach to meet their regulatory obligations, or under pressure from a third party, and then have to revise their statements as the facts become clear (eg. Dixons Carphone revising upwards the number of records involved in its 2017 data breach from 1.2 million to 10 million). This creates additional negative news cycles, and creates a perception of amateurism at best and willful obfuscation at worst.
Downplaying a breach. It is tempting to claim that the sensitivity and scope of the data and systems involved in a breach are limited, or that the impact on the company and those affected is minimal. But such statements can easily come undone as the full extent of the intrusion comes to light, leaving you looking irresponsible or worse.
Providing inadequate media support. Cathay chose to push out its bad news late in the evening and send its teams home. But little irritates journalists more than an unmanned communications team or unresponsive senior management, and senior executives unable or unwilling to provide a human face to something that has already been confirmed publicly by the company.
Every organisation is advised to avoid these pitfalls wherever possible.
Cathay’s CEO may have promised the airline would respond differently to future breaches, but he did not elaborate how.
Notifying regulators and customers more quickly is an obvious starting point.
Careful thought should also be given to the openness, transparency, tone, consistency and ownership of its’s statements, amongst other factors.
Pointing the finger at others during an incident or crisis is a tempting proposition. It diverts attention, helps the company avoid responsibility, and means it doesn’t have to address the underlying problem.
At least, that’s the idea.
Playing the blame game can be appropriate when your company is clearly not guilty. However, in most other instances it convinces almost nobody, leaves a sour taste in the mouth, and encourages regulators to come down extra hard.
Some of the more notorious examples include BP CEO Tony Hayward blaming oil rig owner Transocean for the Deepwater Horizon disaster, and Costa Concordia CEO Pier Luigi Foschi fingering lower-level employees for the collision of his eponymous ship off the Italian coast.
More recently, United Airlines CEO blamed ‘disruptive and belligerent’ customer David Dao for the violent melee initiated by security personnel aboard flight 3411.
Now we are seeing a rash of finger-pointing at vendors during data breaches.
In some ways, this is the nature of the data privacy beast.
The inter-connected nature of IT systems and the widespread sharing of data means companies are now more exposed than ever to data breaches, leaks and losses due to poor security or inappropriate employee behaviour at their suppliers, partners or others.
And then GDPR forces data privacy incidents into the public arena, and increases the likelihood of media slanging matches.
Whichever firm was at fault for the Ticketmaster incident (something we will have a clearer view of when the ICO completes its investigation), it is hardly reassuring for customers of either party.
That said, things look bleak for Ticketmaster after Monzo revealed it had warned Ticketmaster of a possible breach weeks ago, publishing a compelling graphic to make its case.
Here are 5 tips for handling third-party data breach incidents involving suppliers or partners from a communications perspective:
Acknowledge the issue quickly, and take responsibility. While technically, and legally, the fault for the breach may ultimately lie with your vendor or partner, your customers care little about how your business back-end works and want ownership of the problem and its speedy resolution. They expect this from you as your customer. Ticketmaster might usefully have considered how airlines manage lost baggage: direct with the customer, with the airport manager in the background, rather than vice-versa, even if the airport is at fault.
Take the moral high ground. Being honest, open, concerned and helpful from the get-go will go a long way towards defusing a tricky situation, and will mean your customers, suppliers and partners have less reason to carp about the state of your security or the nature of your communications. Ticketmaster got off on the wrong foot by apparently unfairly fingering Inbenta, and trying to appear as the hero of the hour, while failing to mention that it had been warned months previously about a possible breach.
Resist directly naming your supplier/partner. Following on from the previous point, you may find it tempting to point the finger at a partner or supplier – an apparently reasonable thing to do when it appears to be at fault. But the facts may not quite turn out as you expect, and you risk being seen as appearing high-handed or vindictive, especially if it is a smaller entity. Instead, resist naming the guilty party until the facts are clear, and then be careful do so in a manner and tone appropriate to the misdemeanour.
Reinforce your position when tempers have cooled. Public slanging matches are always ugly and do few organisations any good. Nonetheless, that’s not to say you may still need to pursue your interests aggressively, it’s just that this is usually best done once the initial drama of an incident dies down. At this point, you can publish the investigatory report you may have commissioned, and await any regulatory statement, or prosecution. If necessary, contest in court.
Understand your reputational ecosystem. On the surface, online surveys and ticket sales have been – and remain – fairly mundane and transactional industries. But business ecosystems are changing fast, and transparency has become a strategic battleground. Banks – often the real losers when it comes to data breaches (Monzo’s CEO went on the record to say that the Ticketmaster breach led to ‘quite a big financial loss’ for the bank) – are generally happy to sit in the shadows while an incident plays out in the media. But Monzo prides itself on its transparency, and is prepared to use it defensively as well as strategically. Understanding the reputational nuances of your business ecosystem, including your suppliers’ and partners’ pain thresholds, will help you make the right decisions when things get choppy.
It is a trusim that every high-profile incident or crisis is accompanied by a tidal wave of rumour and misconception. This has always been the case, but nowadays the volume, intensity and power of false stories and fake news means every company has to work much harder to ensure what is being said about them is accurate and fair.
As Facebook can attest to the scathing reaction to some of its senior executives using social media to correct reports describing the harvesting of 50 million or so user profiles by SCL Group/Cambridge Analytica as a ‘data breach’, clamping down on rumour can feel as futile as chasing ghosts. It can also be as perilous.
This was unequivocally not a data breach. People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation. no systems were infiltrated, no passwords or information were stolen or hacked.
Legally and technically, Andrew Bosworth (@boztank) and his colleagues were correct – this was not a data breach. The profiles had been misappropriated rather than stolen, and precision is required from a security, legal and communications perspective.
That said, the average Facebook user has little interest or understanding of the difference between a cyber attack, data breach, data loss or data leak. She wants to know what has happened to her data, and how its unintended use may affect her. Bosworth’s intervention made Facebook appear unnecessarily touchy, defensive and inward-looking.
Worse, it rebuttal served to highlight the real, underlying issue: Facebook’s apparently cavalier approach to collecting and profiting from its users’ personal information in ways most people have little understanding of.
Handling rumour and speculation is not about pouncing ruthlessly on every misconception or tall story – it is necessary to box clever, especially when the eyes of the world are on you.
Here are five basic but important things to remember when punching back against fake or partially fake stories during a crisis:
1. Pick your target carefully.
You could spend much of your time dealing with clearly inaccurate, wilfully misleading or entirely false news in a crisis. As we have seen, a misjudged intervention can easily prove counterproductive. My advice is to focus on those rumours that you know are untrue and which may cause real long-term damage to your company’s reputation due to the plausibility of their claims and the credibility of their advocates. And to ignore rumours that are clearly absurd, irrelevant or that matter little in the broader scheme of things and to which a response will likely come across as nitpicking or needlessly defensive.
2. Speak clearly and unambiguously.
If you do decide to respond to a rumour in a crisis, make sure your position is clearly expressed and in a language that everyone from the technical expert to the bemused member of the general public can understand. Little irritates and alienates people more than a put-down full of weasel wording, legalese and jargon. Or one that fails to tackle the issue in a straight-forward manner – as demonstrated by the hostile reaction to a series of Twitter-based rebuttals by Cambridge Analytica in the aftermath of Channel 4’s first investigatory video into its dealings with Facebook.
MYTH #5: CA uses fake news. REALITY: We do not. Fake news is a serious concern for all of us in the marketing industry. Malicious actors are using the same digital marketing tools that ad agencies use, and that's deeply worrying for everybody.
There will be times when you strongly believe your company is innocent or is being unfairly maligned in a crisis. In such instances, it is tempting to hit back as hard as possible. There are good reasons to resist this urge. Some people may not understand what is necessarily a complex situation or topic. Others will struggle to give you the benefit of the doubt based on their personal experiences and interactions over the years. And nobody appreciates being told what to think.
Even if a crisis is not your fault you must accept that others are entitled to their point of view and explain your case in a way they can relate to and understand. This requires paying close attention to the tone of your words and making sure you are not seen as arrogant, patronising or antagonistic at any time.
If success breeds envy and scrutiny, then so be it. There are countless firms that have used our tactics to get information on target customers. More in @Forbes: https://t.co/lb9re88E9j
4. Support your position clearly and in a human way.
Today’s distrustful business and political environment means words alone may be insufficient to quell a rumour. Rather, it is necessary to buttress your case with compelling evidence. Better still that respected third-parties are willing and able to support your argument in the mainstream media and online.
And the more human you can appear the better. Mark Zuckerberg may have been conspicuously absent from Facebook’s response to its current data privacy crisis over the past few days and while he has been accused of hiding behind his Facebook page he has used it successfully in the past to set the record straight by answering questions and generally giving the impression he is available and willing to talk.
5. Provide a visible call to action.
Whichever way you choose to rebut a rumour or misconception, it is important to provide people with an easy way to get further information. This might be an email address, telephone number or URL that directs people to a news article or dedicated crisis website or page containing your statements, plans, FAQs and other resources. Whatever it is, signpost it clearly on your homepage and media statements, and work it into your tweets and other interactions.
Combatting false rumours is a real challenge for business owners and communicators at any time, and is particularly tricky during a crisis. A hard head and thick skin are useful attributes, but even more necessary is the ability to read the public mood and react in an appropriate manner, even when presented with the most jaundiced and outlandish views.
These five basic considerations will ensure you are in a decent position to stop rumour and speculation escalating and start convincing people of your side of the argument.