Law & reputation

It’s been quite the week for apologies. Singer Rita Ora hosted a flashy 30th birthday lockdown party which was promptly shut down by the police. And news of politician Joszef Szajer’s sizzling Brussels (s)exploits burst into the mainstream conscious. Their apologies had very different results.

Ora quickly took to Instagram to express what comes across as a fulsome and genuine mea culpa:

Szajer’s apology appeared two days after he had somewhat mysteriously resigned as an MEP and comes across as stilted and reluctant.

“I regret that I broke the lockdown rules, that was irresponsible of me, and I will accept the sanctions that result”.

His reticence almost certainly stems from the salacious nature of his activities, and from hypocrisy of a kind that makes John Major’s basic to basics frolics appear like a walk in the park.

It hardly needs saying that tone counts for much when you are saying sorry and that being seen to apologise sincerely, acknowledging where you’ve gone wrong, and taking responsibility for your actions count for much.

Apologies and the law

Tonal differences aside, Ora and Szajer’s statements bear one thing in common: both state they accept the consequences of their actions.

This was almost certainly prompted by both parties being caught red-handed by the police.

Yet many apologies are never made out of fear of legal liability, and those that are made often avoid any admission of guilt. And as such they can easily end up as tokenistic.

As it happens, John Howell MP also introduced a private members bill to the House of Commons this week that ‘allows an apology to be given that is genuinely and sincerely meant without creating a legal liability that would run into millions of pounds.’

The policy driver, Howell states, is that ‘apologies can often unlock disputes and lead to settlements without recourse to formal legal action’.

This is a commendable initiative. An apology is already a statutory, professional and legal requirement in cases of NHS clinical negligence. And as Howell points out, apology laws already exist in multiple US states, Australia, Canada and elsewhere.

Howells’ recommended solution is less litigation and more arbitration and mediation. Again, the prospect of less media intrusion, lower legal fees and less pressure on our overloaded courts of justice seems eminently sensible.

Appreciate who you’re apologising to

All this is well and good in a commercial context in which big money is at stake. But it doesn’t much help ordinary individuals who are left to the mercy of the crowd and, in Ora and Szajer’s case, the mercy of the police.

To date, Rita Ora has escaped a fine, though the restaurant faces a police investigation. Szajer, on the other hand, has resigned as an MEP and been forced to leave his political party.

Neither apology appears likely to sway the police one way or the other, but it may help sway the general public and others, who are arguably their principal audiences.

While Rita Ora may have made a stupid mistake, her apology has won her at least one new fan. Meantime, Joszef Szajer is licking his wounds.

John Howell’s bill will have its second reading in March 2021. A more constructive and less legalistic environment in which an apology can be made freely and meaningfully is surely in most people’s interests.

UPDATE: It has emerged that Rita Ora has broken lockdown rules a second time, triggering a second apology.

Pointing the finger at others during an incident or crisis is a tempting proposition. It diverts attention, helps the company avoid responsibility, and means it doesn’t have to address the underlying problem.

At least, that’s the idea.

Playing the blame game can be appropriate when your company is clearly not guilty. However, in most other instances it convinces almost nobody, leaves a sour taste in the mouth, and encourages regulators to come down extra hard.

Some of the more notorious examples include BP CEO Tony Hayward blaming oil rig owner Transocean for the Deepwater Horizon disaster, and Costa Concordia CEO Pier Luigi Foschi fingering lower-level employees for the collision of his eponymous ship off the Italian coast.

More recently, United Airlines CEO blamed ‘disruptive and belligerent’ customer David Dao for the violent melee initiated by security personnel aboard flight 3411.

Now we are seeing a rash of finger-pointing at vendors during data breaches.

In some ways, this is the nature of the data privacy beast.

The inter-connected nature of IT systems and the widespread sharing of data means companies are now more exposed than ever to data breaches, leaks and losses due to poor security or inappropriate employee behaviour at their suppliers, partners or others.

And then GDPR forces data privacy incidents into the public arena, and increases the likelihood of media slanging matches.

Over the past few days, a breach at B2B survey company Typeform resulted in the loss of data of 20,000 or so customers of multiple organisations, including the LibDems, Travelodge, Fortnum & Mason, and digital bank Monzo. The breach led to Monzo publicly terminating its relationship with the survey firm until it sorts out its security.

And we have seen Ticketmaster blame customer support vendor Inbenta for a breach of up to 40,000 of its customers’ data (see below), to which Inbenta fired back that the source of the breach lay was a piece of JavaScript code that had been incorrectly implemented by the ticketing company.

Ticketmaster on the Inbenta data breach

Whichever firm was at fault for the Ticketmaster incident (something we will have a clearer view of when the ICO completes its investigation), it is hardly reassuring for customers of either party.

That said, things look bleak for Ticketmaster after Monzo revealed it had warned Ticketmaster of a possible breach weeks ago, publishing a compelling graphic to make its case.

Monzo on Ticketmaster data breach timeline
Here are 5 tips for handling third-party data breach incidents involving suppliers or partners from a communications perspective:
  1. Acknowledge the issue quickly, and take responsibility. While technically, and legally, the fault for the breach may ultimately lie with your vendor or partner, your customers care little about how your business back-end works and want ownership of the problem and its speedy resolution. They expect this from you as your customer. Ticketmaster might usefully have considered how airlines manage lost baggage: direct with the customer, with the airport manager in the background, rather than vice-versa, even if the airport is at fault.
  2. Take the moral high ground. Being honest, open, concerned and helpful from the get-go will go a long way towards defusing a tricky situation, and will mean your customers, suppliers and partners have less reason to carp about the state of your security or the nature of your communications. Ticketmaster got off on the wrong foot by apparently unfairly fingering Inbenta, and trying to appear as the hero of the hour, while failing to mention that it had been warned months previously about a possible breach.
  3. Resist directly naming your supplier/partner. Following on from the previous point, you may find it tempting to point the finger at a partner or supplier – an apparently reasonable thing to do when it appears to be at fault. But the facts may not quite turn out as you expect, and you risk being seen as appearing high-handed or vindictive, especially if it is a smaller entity. Instead, resist naming the guilty party until the facts are clear, and then be careful do so in a manner and tone appropriate to the misdemeanour.
  4. Reinforce your position when tempers have cooled. Public slanging matches are always ugly and do few organisations any good. Nonetheless, that’s not to say you may still need to pursue your interests aggressively, it’s just that this is usually best done once the initial drama of an incident dies down. At this point, you can publish the investigatory report you may have commissioned, and await any regulatory statement, or prosecution. If necessary, contest in court.
  5. Understand your reputational ecosystem. On the surface, online surveys and ticket sales have been – and remain – fairly mundane and transactional industries. But business ecosystems are changing fast, and transparency has become a strategic battleground. Banks – often the real losers when it comes to data breaches (Monzo’s CEO went on the record to say that the Ticketmaster breach led to ‘quite a big financial loss’ for the bank) – are generally happy to sit in the shadows while an incident plays out in the media. But Monzo prides itself on its transparency, and is prepared to use it defensively as well as strategically. Understanding the reputational nuances of your business ecosystem, including your suppliers’ and partners’ pain thresholds, will help you make the right decisions when things get choppy.

A ruling that UK supermarket chain Morrisons is ‘vicariously’ liable for a payroll data leak of almost 100,000 staff by a disgruntled former employee has many legal ramifications. It also has significant potential reputational implications.

To reiterate: Aggrieved that he has been discovered running an eBay sales business through Morrison’s mailroom, then senior auditor Andrew Skelton copied and uploaded the salaries, bank details, national insurance information, postal addresses and telephone numbers of nearly 100,000 of his colleagues to a file-sharing website.

Three months later, seemingly unable to attract a buyer, Skelton sent the data to three newspapers (all of which covered the story but refused to publish the data). Within days, Skelton has been identified and arrested. He was convicted and imprisoned in July 2015.

5,518 current and former employees subsequently decided to take Morrisons to court in the first data leak class action in the UK and, in December 2017, they won on the basis of vicarious liability (in which Morrisons, as his employer, was seen to be responsible for Skelton’s actions as the data controller). The ruling is seen as unusual as the leak did not result in any reported concrete financial loss for employees.

Legal commentators have noted that while the ruling can be contested at Courts of Appeal (Morrisons have confirmed their intention to appeal), and compensation is yet to be determined, an increase in data privacy class actions in the UK and a rise in legal payouts is now possible.

The ruling also potentially poses greater reputational risks for companies suffering employee-driven data leaks, including:

  • The threat of significant negative media coverage as a result of class action litigation
  • Increased scrutiny from regulators, politicians and other decision-makers
  • The perception that leadership is insufficiently knowledgeable about and/or invested in IT/cybersecurity
  • The erosion of staff loyalty and the company’s ability to recruit new talent
  • Reduced customer loyalty and loss of sales.

As if they haven’t got enough on their plates with GDPR, the Morrisons data leak ruling adds to pressure on companies to:

  • Reinforce their overall IT/cybersecurity governance and management
  • Strengthen their Incident Response and Crisis Communications Plan(s) 
  • Enhance their leadership and employee data privacy communication, training and education programmes.

Plenty for communicators, as well as for company leaders, lawyers and IT/cybersecurity teams to sink their teeth into over the coming weeks and months.

Are you ready for a data breach? Test your reputational defences with Charlie Pownall’s Data Breach Preparedness and Response advisory and training services.

The fact that anyone can turn to Facebook, Twitter or YouTube to post a negative review of a hairdresser, plumber or politician, indeed to denigrate whatever or whoever they choose, in the heat of the moment or otherwise, has resulted in defamation being employed increasingly regularly as a legal tool.

Yet the nature of social media means, like it or not, that the resolution process is also increasingly likely to be played out in public view.

In such instances, legal and communications teams must work closely together.

A prominent London-based media and defamation lawyer with whom I met recently advises the following broad principles for dealing with online defamation:

  • Balance the legal and reputational aspects of defamation carefully from the get-go
  • Negotiate a reasonable solution where possible and deploy litigation only as the final solution
  • When an issue is legally black and white, move fast to limit the potential for the falsehood to escalate
  • Make sure to use language that is user-friendly rather than overtly legalistic in all instances.

This is music to the ears of communicators, who are often left to deal with the reputational impact of legal strong-arming.

The principles above are laid out in an article I have penned for PR Week Asia.

I hope you find it interesting and useful.

%d bloggers like this: