Pointing the finger at others during an incident or crisis is a tempting proposition. It diverts attention, helps the company avoid responsibility, and means it doesn’t have to address the underlying problem.

At least, that’s the idea.

Playing the blame game can be appropriate when your company is clearly not guilty. However, in most other instances it convinces almost nobody, leaves a sour taste in the mouth, and encourages regulators to come down extra hard.

Some of the more notorious examples include BP CEO Tony Hayward blaming oil rig owner Transocean for the Deepwater Horizon disaster, and Costa Concordia CEO Pier Luigi Foschi fingering lower-level employees for the collision of his eponymous ship off the Italian coast.

More recently, United Airlines CEO blamed ‘disruptive and belligerent’ customer David Dao for the violent melee initiated by security personnel aboard flight 3411.

Now we are seeing a rash of finger-pointing at vendors during data breaches.

In some ways, this is the nature of the data privacy beast.

The inter-connected nature of IT systems and the widespread sharing of data means companies are now more exposed than ever to data breaches, leaks and losses due to poor security or inappropriate employee behaviour at their suppliers, partners or others.

And then GDPR forces data privacy incidents into the public arena, and increases the likelihood of media slanging matches.

Over the past few days, a breach at B2B survey company Typeform resulted in the loss of data of 20,000 or so customers of multiple organisations, including the LibDems, Travelodge, Fortnum & Mason, and digital bank Monzo. The breach led to Monzo publicly terminating its relationship with the survey firm until it sorts out its security.

And we have seen Ticketmaster blame customer support vendor Inbenta for a breach of up to 40,000 of its customers’ data (see below), to which Inbenta fired back that the source of the breach lay was a piece of JavaScript code that had been incorrectly implemented by the ticketing company.

Ticketmaster on the Inbenta data breach

Whichever firm was at fault for the Ticketmaster incident (something we will have a clearer view of when the ICO completes its investigation), it is hardly reassuring for customers of either party.

That said, things look bleak for Ticketmaster after Monzo revealed it had warned Ticketmaster of a possible breach weeks ago, publishing a compelling graphic to make its case.

Monzo on Ticketmaster data breach timeline

Here are 5 tips for handling third-party data breach incidents involving suppliers or partners from a communications perspective:
  1. Acknowledge the issue quickly, and take responsibility. While technically, and legally, the fault for the breach may ultimately lie with your vendor or partner, your customers care little about how your business back-end works and want ownership of the problem and its speedy resolution. They expect this from you as your customer. Ticketmaster might usefully have considered how airlines manage lost baggage: direct with the customer, with the airport manager in the background, rather than vice-versa, even if the airport is at fault.
  2. Take the moral high ground. Being honest, open, concerned and helpful from the get-go will go a long way towards defusing a tricky situation, and will mean your customers, suppliers and partners have less reason to carp about the state of your security or the nature of your communications. Ticketmaster got off on the wrong foot by apparently unfairly fingering Inbenta, and trying to appear as the hero of the hour, while failing to mention that it had been warned months previously about a possible breach.
  3. Resist directly naming your supplier/partner. Following on from the previous point, you may find it tempting to point the finger at a partner or supplier – an apparently reasonable thing to do when it appears to be at fault. But the facts may not quite turn out as you expect, and you risk being seen as appearing high-handed or vindictive, especially if it is a smaller entity. Instead, resist naming the guilty party until the facts are clear, and then be careful do so in a manner and tone appropriate to the misdemeanour.
  4. Reinforce your position when tempers have cooled. Public slanging matches are always ugly and do few organisations any good. Nonetheless, that’s not to say you may still need to pursue your interests aggressively, it’s just that this is usually best done once the initial drama of an incident dies down. At this point, you can publish the investigatory report you may have commissioned, and await any regulatory statement, or prosecution. If necessary, contest in court.
  5. Understand your reputational ecosystem. On the surface, online surveys and ticket sales have been – and remain – fairly mundane and transactional industries. But business ecosystems are changing fast, and transparency has become a strategic battleground. Banks – often the real losers when it comes to data breaches (Monzo’s CEO went on the record to say that the Ticketmaster breach led to ‘quite a big financial loss’ for the bank) – are generally happy to sit in the shadows while an incident plays out in the media. But Monzo prides itself on its transparency, and is prepared to use it defensively as well as strategically. Understanding the reputational nuances of your business ecosystem, including your suppliers’ and partners’ pain thresholds, will help you make the right decisions when things get choppy.

 

Today I published an updated and strengthened Privacy Policy on this website. The policy is one component of the considerable work required to prepare for the European Union’s General Data Protection Regulation (GDPR) – due to come into effect on May 25, 2018.

Initially fairly daunting for a small operator, I came to appreciate that the GDPR also presents an opportunity to build strong relationships and trust on the basis of a real commitment to the security, privacy and confidentiality of my clients and the users of my website and other channels.

Equal treatment for everyone

While the GDPR focuses on protecting the personal information of EU citizens, I strongly believe that data privacy is a right that belongs to you, wherever you are.

Given the fact that the GDPR is widely seen as the global gold standard for personal privacy – a standard that sits above (and in many cases, significantly above) those set in other countries and jurisdictions – means that you can expect me to apply equally the principles and rights associated with the regulation to everyone, everywhere.

OK, so what does this mean in practice?

The new Privacy Policy should give you a good idea what this means in terms of the day-to-day collection, management and use of your personal information, as well as your rights to access and control that information.

Behind the scenes, I have been reducing the amount of data I hold on my clients and others. For example, personal information about a client is now reduced to the bare minimum once a project has finished or a contract expired. In addition, personal information about all business contacts has been taken off the cloud and stored locally, encryption beefed up, and passwords strengthened and changed more regularly.

Much of my business comes from referrals, which means I do little or no direct or email marketing, online commerce, or online customer support. This may change as I continue to expand my business, and in all cases will involve me clearly telling you what information is being collected about you, why it is being collected, and who, if anyone, it may be shared with and for what reason.

Stay in touch

Protecting your personal privacy is not just about hitting a deadline – it is an ongoing process.

Stay tuned to this blog for further updates, and do send any feedback, comments or questions you have to privacy@charliepownall.com.

There has been much talk in the PR/communications industry about GDPR, mostly concerning marketing and media relations from a compliance perspective. There has also been considerable discussion in the legal and cybersecurity worlds about what GDPR means for data breach reporting.

By contrast, there has been relatively little guidance on how communicators should prepare to handle data breaches under the EU’s tough new regulatory regime. Given the volume of high-profile breaches, widespread anxiety about privacy, and low levels of trust in companies, it is essential that companies get their communications response right.

GDPR notification and communications grey areas

The GDPR ups the ante significantly. Article 29 requires the mandatory notification to customers (in addition to regulators) of a data breach, data loss, or data leak within 72 hours if it is seen to pose a ‘high risk’ to the rights and freedoms of individuals in terms of identity theft or fraud, financial loss, damage to reputation, discrimination, or emotional distress.

Despite clarification from the EU Article 29 working party in the form of Guidelines of Personal Data Breach Notification (pdf), some operational, legal – and reputational – grey areas exist, notably concerning:

  • Timing – what constitutes a ‘reasonable’ degree of certainty that a breach has occurred
  • Level of risk – how to define that a risk to individuals’ rights and freedoms is ‘high’
  • Loss of availability – whether a breach is temporary, or permanent.

These grey areas, outlined in more detail in the slides below, may cause companies to delay or even avoid the disclosure of a known breach.

 

How PRs should prepare for GDPR

Here are five steps for PR/communications teams to prepare for the likelihood of having to respond to a data breach under GDPR:

  1. Understand GDPR and notification requirements, grey areas and best practices
  2. Educate leadership, legal, IT, security and other stakeholders about customer and stakeholder privacy needs and expectations; cyber/data breach reputation trends, risks and impact; and the role of communications in data breach preparation and response
  3. Ensure PR/communications is represented on relevant cybersecurity committees and teams
  4. Develop/update your corporate data breach response and crisis communications plans by assessing and prioritising different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted; and developing communications plans for different types of breach
  5. Test and update these plans regularly – specifically data breach protocols and processes; messaging and content; your digital/social media dialogue and feedback capabilities; and leadership decision-making and team dynamics.

UK Infomation Commissioner Elizabeth Denham says the ICO will be proportionate in how the ICO levies sanctions and fines. Nobody wants a fine, yet the long-term reputational impact can be far more onerous.

Are you ready for a data breach? Test your reputational defences with Charlie Pownall’s Data Breach Preparedness and Response advisory and training services.

The reaction to Marriott International’s listing of Tibet, Hong Kong, Macau and Taiwan as separate countries on a rewards club survey demonstrates the double-edged nature of visibility and success in China.

Marriott has built a tidy business in China and it’s speedy and wholesome apologies may have dampened the furore a little. However, legitimate questions remain as to how the company allowed such a basic error to happen in the first place (it was apparently a supplier fault).

Nikkei Asian Review asked for my thoughts on how foreign organisations operating in China should prepare for the risks that come with the territory – some of which have been tackled previously on this blog.

Here is Nikkei’s article.

And below is my full response to the journalist – whose questions have been edited for clarity.

Do you think foreign companies are becoming more vulnerable to political mistakes in China with the popularity of social media and rising nationalist sentiment?

Foreign companies operating in China have long been exposed to rumour-mongering and allegations of various types, from poor product safety and customer service to unfair pricing, corruption, sexual misconduct and threats to security.

Social media certainly fans the flames faster and makes these kinds of accusations inherently more emotive.

Yet most of these accusations have been – and remain – tacitly encouraged or directly started by Beijing, often through the mainstream media, which gives them a high level of credibility, not least at a time when the nationalist pot is being actively stirred.

Do you think these companies are aware of the political sensitivity of certain topics in China? What most common mistakes they made besides categorising Taiwan, Hong Kong and Macau as countries? Can you give an example?

Most companies are aware of the many challenges of doing business in China and do their best not to cross political red lines such as Tibet, or to leave themselves open to accusations of discrimination against the Chinese people.

However, mistakes continue to be made.

Over-pricing and under-investment in customer service are common errors, leading foreign firms open to accusations of profiteering, ineptitude or arrogance.

And not instilling in foreign employees working in the country high standards of professional and personal behaviour can be a recipe for disaster – as Daimler discovered in 2016 when a senior executive was caught delivering a racist tirade against locals in a Beijing car park.

How can foreign companies doing business in China avoid political risks?

The huge size of China’s market, the unpredictability or Chinese consumers, and the opaque nature of much decision-making in the country means it is essential that companies operating in the country develop a close understanding of the local political, socio-economic, cultural and media context.

They must also proactively build relationships with the authorities and opinion-formers of different kinds.

China’s newfound significance on the world stage also poses risks. Like it or not, foreign companies need to appreciate that all their business activities – and not just those in China – are now more likely to be seen in a Chinese context, and that their foreignness will play out in any resultant incident or crisis in the country.

Accordingly, corporate governance at all levels must be increasingly sensitive to this new reality, and companies able to react quickly and appropriately when trouble happens.

%d bloggers like this: