Archive

Tag Archives: Data breach

One year on and GDPR is, variously, the gold standard for data privacy legislation, a monstrous example of bureaucratic red tape, or a busted flush leading to greater big tech dominance, few meaningful fines, some basic checkbox ticking and a blizzard of irritating pop-up statements.

94,000+ complaints and 64,000+ data breach notifications later, including some major breaches, regulators are starting to bear their teeth. Accordingly, companies are actively lawyering up.

With the GDPR honeymoon period set to end, earning the trust of regulators and customers is critical for all organisations.

How to do so is a topic I explore in an article for CPO magazine.

I hope you find it interesting and useful.

Complex, technical and emotive, data breaches are tough communications and reputational challenges at the best of times.

The EU’s GDPR ups the ante. Not only does it raise the prospect of bigger fines but it increases the likelihood of greater legal liability and reputational damage.

Widely regarded as the gold standard for data privacy across the world, GDPR is being adopted by many countries and regions, including the Asia-Pacific Economic Cooperation.

What does the GDPR mean for business leaders, communicators, risk managers, lawyers and others preparing for tougher data privacy laws across Asia and responding to data breaches in the EU?

Here are some important principles to bear in mind:

Take swift, decisive action to address the problem 

Companies have no option other than to move fast under GDPR. There are only 72 hours to establish what has happened, assess the likely damage, notify the regulator(s) and communicate with those impacted can seem like precious little time, especially when the facts remain unclear.

Notification and communication can appear especially daunting when the hole remains open and the facts are unclear. Yet, the quicker a company moves to fix the hole and the more decisively it does it, the more likely it will be able to limit the actual and potential damage and rebuild confidence.

Err on the side of caution, but do not panic

It is easy to feel like you are being press-ganged into publicly disclosing a data breach. In fact, not all breaches need to be reported to the regulator, and some don’t need to be reported within 72 hours.

Some breaches do not pose a high risk to those impacted, while others may be considered temporary. In some cases, the data involved is unintelligible and/or already in the public domain, in others, the effort involved in notifying the regulator may be considered disproportionate to the actual or likely damage.

In such instances, a company may choose to inform the customer of an incident without notifying the regulator or making a public statement—provided it is confident it is on a safe footing legally.

However, generally, it is best to err on the side of caution and report a breach to the regulator. If one is unclear, information regulators will generally advise whether it needs to be reported. They may also provide guidance on whether it should be communicated with those impacted.

That said, there may be some instances in which you feel it is more important to communicate immediately with those impacted, before notifying the regulator. For example, where the data involved is extremely sensitive, or where a supplier processing data for a business customer is breached.

There are also good reasons to be wary of going straight to the data subject. Customer and stakeholder expectations vary widely on data privacy and, in the wake of an incident, their behaviours can conflict. And news of a breach typically becomes public as soon as it has been communicated with those impacted.

Whichever route you choose, it is usually best to err on the side of caution. There’s no need to panic.

Be open and honest

The GDPR and emerging data privacy policy frameworks are fundamentally about transparency and trust, with organisations expected to be open and honest about data privacy in general and data breaches specifically.

EU information regulators have said they will take seriously anything that puts these twin principles into jeopardy and that they are willing to expand investigations beyond assessing IT/cybersecurity governance and controls to testing compliance in areas like technical competence and education and training.

The same goes for customers in Asia, who increasingly expect organisations to be honest about their shortcomings and to move quickly when something goes wrong.

Consider carefully how those impacted might be affected

Understandably, company leaders and executives fret primarily about the sensitivity and volume of data involved in a breach and what it means for the well-being of their employer. But it is just as important to pay close attention to those impacted and to the context in which the incident has occurred.

In August 2018, British Airways suffered a major breach involving the personal and financial details of over 500,000 customers. Despite no evidence of fraudulent financial activity at the time, British Airways quickly appreciated that the potential for lasting reputational damage was significant, given the large number of payment card and CVV numbers involved.

Hence the airline’s decision when it acknowledged the breach to offer compensation to customers for any financial hardship suffered—a promise that may result in significant payouts and higher insurance premiums going forward. The decision almost certainly also took into account the overwhelmingly negative reaction to the airline’s 2017 IT systems outage.

Consider carefully the needs and expectations of those impacted, the degree of external and internal scrutiny the incident attracts, your firm’s historic reputation, perceived culpability and other factors when you respond to a breach.

Don’t walk away

From a communications perspective, it is tempting to treat a breach as a one-off negative event to be resolved with a little timely public grovelling.

This is a mistake.

Nowadays, people take naturally to social media to vent their experiences and concerns, which can easily spiral into secondary news stories. Leaks are common, and breaches easily bleed into other business issues, thereby aggravating the situation and elongating the news cycle.

Worse, GDPR means regulatory investigations, fines and litigation are more likely, resulting in additional negative publicity. In the process, you may also come under greater pressure to publish internal and expert investigative reports.

It is important to understand that a breach is often just the start of the reputational battle, and that you must stay – and be seen to stay – the distance in all facets of your response if you are to have any real chance of success. 

Align your response

The messiness and complexity of data breaches and the need for different business units to be involved in the response can result in sloppy, inadequate, or inconsistent communications.

Given the expanded legal obligations under GDPR, the likelihood of the emergence of equivalent regimes across Asia and heightened public awareness of data privacy rights, it is particularly important that companies’ legal and communications responses are properly aligned.

Legal and communications teams can sometimes be at loggerheads, so this is not necessarily as straightforward as it sounds. It need not be difficult. Unlike in a court of law, in the court of public opinion, a business is presumed guilty until it proves its innocence.

This doesn’t just mean one should be as open and honest as possible and that one’s rhetoric always meets reality. It means that a company must look at the wider picture, avoid inappropriate legal threats, actions, and lawyerly sounding statements, and apologize sincerely when it is at fault.

By following these principles, you will be less likely to botch your business and communications response to a data privacy incident.

More important, you will be in a much better position you to persuade your customers and others that you are acting in their best interests.

This article was first published on BRINK Asia

A series of vague and apparently contradictory statements have marked Cathay Pacific’s public response to its recent data breach – the world’s largest airline data privacy incident.

While the extent of the damage to the company and its reputation remains unclear, the breach has been described by Cathay’s Chairman as ‘one of the most serious’ the airline has faced, and that its response would be ‘different’ tomorrow.

What can be learned from the airline’s fumbled response?

First, the backstory: late one evening Cathay acknowledges a ‘data security event’ affecting 9.4 million customers that it claims to have acted to contain ‘immediately’. A torrent of negative coverage and plenty of speculation about the state of the firm’s IT security quickly ensues. Journalists and customers complain that Cathay is not responding to phone calls or emails.

The following morning Cathay admits that it had been aware of suspicious behaviour on its network for a three month period starting March, prompting an avalanche of questions from worried customers and bemused regulators and politicians about why it had taken so long to inform its customers. CEO Rupert Hogg takes to the media and video to defend his firm.

Three weeks later, Cathay submits a statement (pdf) to Hong Kong lawmakers confirming the attack had intensified over a three month period and that it had known in August that passenger data had been accessed and/or stolen. Cue a third wave of hostile coverage, this time questioning the company’s honesty and transparency. Lawmakers accuse the company of orchestrating a cover-up.

(Business Traveller has a useful timeline of the incident).

Making inaccurate or inconsistent statements during a data privacy incident is easily done when facts are thin on the ground and the media is breathing down one’s neck.

Top data breach communications pitfalls

Based on my experience, here are the top five communications mistakes organisations make when responding to a data breach – the first and most damaging of which is zero communication:

  1. Concealing a breach. Until recently, most data breaches were not made public. GDPR and other data privacy laws now mean organisations must notify those impacted and the relevant authorities about a breach. Yet some will try to bury it from public view. As Uber and Yahoo! can testify, a cover-up is seen as worse than the breach itself. Substantial fines may appear a good deterrent to concealment, but research shows the longer-term reputational damage can be more significant.
  2. Confirming a breach too slowly. Cathay Pacific took three months to delay formal notification in order to contain the attacks and to determine what data had been lost and who has been affected. But organisations in many jurisdictions are now obliged to notify regulators quickly, and customers now expect to be informed quickly, and view organisations that are seen to move too slowly as unprofessional, clueless, or with something to hide.
  3. Providing inaccurate facts or data. Cathay Pacific may have waited until it was sure of the facts and numbers, yet many organisations now quickly go public about a breach to meet their regulatory obligations, or under pressure from a third party, and then have to revise their statements as the facts become clear (eg. Dixons Carphone revising upwards the number of records involved in its 2017 data breach from 1.2 million to 10 million). This creates additional negative news cycles, and creates a perception of amateurism at best and willful obfuscation at worst.
  4. Downplaying a breach. It is tempting to claim that the sensitivity and scope of the data and systems involved in a breach are limited, or that the impact on the company and those affected is minimal. But such statements can easily come undone as the full extent of the intrusion comes to light, leaving you looking irresponsible or worse.
  5. Providing inadequate media support. Cathay chose to push out its bad news late in the evening and send its teams home. But little irritates journalists more than an unmanned communications team or unresponsive senior management, and senior executives unable or unwilling to provide a human face to something that has already been confirmed publicly by the company.

Every organisation is advised to avoid these pitfalls wherever possible.

Cathay’s CEO may have promised the airline would respond differently to future breaches, but he did not elaborate how.

Notifying regulators and customers more quickly is an obvious starting point.

Careful thought should also be given to the openness, transparency, tone, consistency and ownership of its’s statements, amongst other factors.

%d