Archive

Leadership communications

A series of vague and apparently contradictory statements have marked Cathay Pacific’s public response to its recent data breach – the world’s largest airline data privacy incident.

While the extent of the damage to the company and its reputation remains unclear, the breach has been described by Cathay’s Chairman as ‘one of the most serious’ the airline has faced, and that its response would be ‘different’ tomorrow.

What can be learned from the airline’s fumbled response?

First, the backstory: late one evening Cathay acknowledges a ‘data security event’ affecting 9.4 million customers that it claims to have acted to contain ‘immediately’. A torrent of negative coverage and plenty of speculation about the state of the firm’s IT security quickly ensues. Journalists and customers complain that Cathay is not responding to phone calls or emails.

The following morning Cathay admits that it had been aware of suspicious behaviour on its network for a three month period starting March, prompting an avalanche of questions from worried customers and bemused regulators and politicians about why it had taken so long to inform its customers. CEO Rupert Hogg takes to the media and video to defend his firm.

Three weeks later, Cathay submits a statement (pdf) to Hong Kong lawmakers confirming the attack had intensified over a three month period and that it had known in August that passenger data had been accessed and/or stolen. Cue a third wave of hostile coverage, this time questioning the company’s honesty and transparency. Lawmakers accuse the company of orchestrating a cover-up.

(Business Traveller has a useful timeline of the incident).

Making inaccurate or inconsistent statements during a data privacy incident is easily done when facts are thin on the ground and the media is breathing down one’s neck.

Top data breach communications pitfalls

Based on my experience, here are the top five communications mistakes organisations make when responding to a data breach – the first and most damaging of which is zero communication:

  1. Concealing a breach. Until recently, most data breaches were not made public. GDPR and other data privacy laws now mean organisations must notify those impacted and the relevant authorities about a breach. Yet some will try to bury it from public view. As Uber and Yahoo! can testify, a cover-up is seen as worse than the breach itself. Substantial fines may appear a good deterrent to concealment, but research shows the longer-term reputational damage can be more significant.
  2. Confirming a breach too slowly. Cathay Pacific took three months to delay formal notification in order to contain the attacks and to determine what data had been lost and who has been affected. But organisations in many jurisdictions are now obliged to notify regulators quickly, and customers now expect to be informed quickly, and view organisations that are seen to move too slowly as unprofessional, clueless, or with something to hide.
  3. Providing inaccurate facts or data. Cathay Pacific may have waited until it was sure of the facts and numbers, yet many organisations now quickly go public about a breach to meet their regulatory obligations, or under pressure from a third party, and then have to revise their statements as the facts become clear (eg. Dixons Carphone revising upwards the number of records involved in its 2017 data breach from 1.2 million to 10 million). This creates additional negative news cycles, and creates a perception of amateurism at best and willful obfuscation at worst.
  4. Downplaying a breach. It is tempting to claim that the sensitivity and scope of the data and systems involved in a breach are limited, or that the impact on the company and those affected is minimal. But such statements can easily come undone as the full extent of the intrusion comes to light, leaving you looking irresponsible or worse.
  5. Providing inadequate media support. Cathay chose to push out its bad news late in the evening and send its teams home. But little irritates journalists more than an unmanned or unresponsive management or communications team, and senior executives unable or unwilling to provide a human face to something that has already been confirmed publicly by the company.

Every organisation is advised to avoid these pitfalls wherever possible.

Cathay’s CEO may have promised the airline would respond differently to future breaches, but he did not elaborate how.

Notifying regulators and customers more quickly is an obvious starting point. Careful thought must also be given to the openness, transparency, tone, consistency and ownership of one’s statements, amongst other factors.

My next post will set out data breach communications best practices.

Tim Bell has been widely – and rightly, in my opinion – excoriated for his ‘car crash’ Newsnight appearance before Kirsty Wark defending his role in Bell Pottinger’s demise.

With his (former) company on the verge of bankruptcy, his own name being dragged through the mud, and mindful of the potential impact of his own consultancy Les Frontieres, Bell set out to distance himself from events, and from his sparring partner James Henderson.

Arguably, he just about managed it, even if he also came across as arrogant, dismissive, and shifty.

 

He also made a notable gaff by leaving his phone switched on.

But was this the silly, cringe-worthy error it appeared?

Bell is a seasoned PR hand who prepped Margaret Thatcher, amongst others, for media interviews.

There is almost zero chance he would accidentally have left his phone on. And even less chance that he would have failed to turn it off again during a high-profile, high stakes interview.

Bell deliberately left his phone on and enlisted friends to call and message him in order to disorientate and distract his interviewer from the outset.

The diversionary tactic failed. Wark stuck doggedly to her task and proved she was not for turning – leaving Bell in an even deeper hole.

Thatcher can only be turning in her grave.

As our local vicar likes to remind us, Christmas is about giving and about receiving. It is not just about Playstations and socks and mince pies; what really counts is that it is done with meaning and integrity.

It is the thought that counts.

I am reminded of a passage in Michael J. Sandel’s book Justice. A meditation on political philosophy, Justice also makes the case for civic engagement in politics, something that seems a pitifully low priority for governing classes across much of the world.

The passage in question was the opening salvo in Robert F. Kennedy’s campaign to become US President, which saw him addressing students at the University of Kansas in March 1968. Of course, Kennedy’s campaign was doomed as within weeks he had succumbed to an assassin’s bullet in Los Angeles.

While the jist of his words is striking – even for the 1960s – its expression makes for a stirring and memorable piece of communication:

Too much and for too long, we seemed to have surrendered personal excellence and community values in the mere accumulation of material things. Our Gross National Product, now, is over $800 billion dollars a year, but that Gross National Product – if we judge the United States of America by that – that Gross National Product counts air pollution and cigarette advertising, and ambulances to clear our highways of carnage.  It counts special locks for our doors and the jails for the people who break them.  It counts the destruction of the redwood and the loss of our natural wonder in chaotic sprawl.  It counts napalm and counts nuclear warheads and armored cars for the police to fight the riots in our cities.  It counts Whitman’s rifle and Speck’s knife, and the television programs which glorify violence in order to sell toys to our children.  Yet the gross national product does not allow for the health of our children, the quality of their education or the joy of their play.  It does not include the beauty of our poetry or the strength of our marriages, the intelligence of our public debate or the integrity of our public officials.  It measures neither our wit nor our courage, neither our wisdom nor our learning, neither our compassion nor our devotion to our country, it measures everything in short, except that which makes life worthwhile.  And it can tell us everything about America except why we are proud that we are Americans.

The full text of RFK’s speech can be read here.

By contrast, Pope Francis’ recent denunciation of trickle-down economics appears an exercise in stilted verbosity which while making headlines also forced the Papacy into a clarification.

That said, it is certainly worth a read. Here is a decent overview.

Just as it does for companies and governments, the Playstation era enables religious leaders to communicate direct with their audiences.

As the Pope’s use of Twitter shows, this doesn’t mean that official communication must necessarily be dumbed down.

But it does have to be clear and, better still, emotive if it is to change hearts and minds – principles RFK had certainly heeded.

Whatever your religion and politics, Happy Christmas and here’s hoping for a meaningful and prosperous 2014.

%d bloggers like this: