Archive

Tag Archives: Reputation management

Concern is widespread that artificially generated ‘deepfake’ videos pose a major potential problem for those targeted, be they companies, CEOs, celebrities, academics and commentators, or politicians.

A new study of 14,678 deepfake videos by cybersecurity company Deeptrace suggests otherwise. Deepfakes may generate millions of views, yet the great majority (96%) are pornographic and have little wider societal impact.

Of those that are not pornographic, such as Chinese deepfake face-swapping app Zao or a recent spoof of former Italian PM Matteo Renzi, most are designed to entertain. Only a tiny minority have been expressly designed to sow misinformation or disinformation, or to damage reputation.

The reputational threat of deepfakes

This may change all too soon. Deepfakes are increasingly realistic, freely available, and easy to make. Artificial voice company Lyrebird promises it can create a digital voice that sounds like you in a few minutes (even if my voice apparently proved less than straight-forward.)

It is surely only a matter of time before we see more regular instances of deepfakes damaging – directly or indirectly – companies, governments and individuals through false or misleading news stories, hoaxes and reputational attacks.

A recent example: controversial Canadian psychology professor Jordan Peterson recently found himself at the mercy of a website where anyone could generate clips of themselves talking in his voice, forcing him to threaten legal action. The simulator has since been taken offline.

In another case a political private secretary in the Malaysia government was arrested over a video allegedly showing him having illegal gay sex with the country’s minister of economic affairs. The country’s leader responded by saying the video was ‘cooked up’, but it remains unproven whether the video was manipulated. 

Reputational risks of deepfakes for companies include:

  • A fake CEO town hall video regarding the new company strategy is ‘leaked’ to the outside world, allegedly by a short seller
  • The voice of a politician is used to manipulate a senior director into discussing allegations of corporate fraud
  • A fake recording of two executive board directors discussing the sexual habits of a colleague is used to blackmail the company
  • An outsider gains entrance to a secured office by impersonating the voice of a company employee.

Spread over the internet and social media and excavating distrust in institutions and deep geo-political tensions, the risks of malevolent deepfakes are only now starting to emerge.

While the likelihood of a deepfake attack remains low in the short-term, and impact remains hard to quantify, every organisation would be wise to start considering what it may mean for its name and image.


Deepfakes are only one form of AI, though arguably pose the most direct reputational risk.

Visit the AIAAIC Repository to understand the risks of AI, algorithms and automation.

Egypt Air Public Relations

It sounds good in principle. A sign in Cairo airport directs passengers to Egypt Air Public Relations. In practice, the desk turns out to be manned by a customer service team. 

The team is friendly, polite and helpful – a credit to the airline. It constitutes good public relations, even if it is not PR as we think of it today.

It begs two questions: What is Public Relations? And is the term fit for purpose?

From publicity to connecting dots

Clearly, PR has moved on since its early days of B.T. Barnum’s publicity stunts. Today’s digitised and accountable landscape means PR is about listening, understanding, outreach, engagement, measurement and evaluation.

It is about advising leadership as well as manning the product and reputational coalface. It is about cooperation and collaboration, joined-up thinking and connecting dots.

Yet the PR industry continues to suffer from a poor name and image. It is seen to lack real bite and C-suite credibility and is tarnished by its association – merited or otherwise – with ‘spin’ and smears.

My own background could be said to be in PR yet, as an observant reviewer points out, I do not use the term Public Relations in my book Managing Online Reputation.

He is correct: I deliberately avoid it, and use the word Communications instead.

Why?

Most importantly, I want to reflect the fact that ‘PR’ people don’t just puff products and salvage broken reputations but provide internal communications, leadership communications, stakeholder communications, corporate communications, corporate marketing, influencer communications, digital and social media communications, and a host of other forms of communications.

I also aim to persuade my readers that the principles and practices of online reputation management – a notoriously shady ‘industry’ – must be approached strategically, appropriately and ethically to be effective.

This, I figure, would be more likely achieved by viewing online reputation through a Communications rather than a PR or digital marketing prism.

Opportunity to own the communications high ground

I am not alone. Most organisations have renamed their Public Relations units as Corporate Communications or simply Communications teams. PR agencies and industry associations such as the PRCA (formerly the Public Relations Consultants Association and now the Public Relations and Communications Association) have followed suit in whole or in part.

Yet the term Public Relations stubbornly persists – in the industry, in business, in the media, and amongst the general public.

With competition hotting up as marketing agencies, management consultants and others encroach on PR industry turf, there are compelling reasons to drop the term Public Relations entirely and replace it with Communications or variants thereof.

Such a move would be brave.

The earned media dimension of PR may lose its pointed edge. And the term ‘communications’ is open-ended, meaning many things to many people.

It would also require real ambition.

Ad agencies have been busy repositioning themselves as marketing agencies in order to reflect their broader capabilities, and to give themselves the flexibility to move into new areas.

This leaves space for the PR industry to occupy the Communications high ground and everything it entails.

A window now exists for PR to own the term Communications, and to rename itself in its own new image.

It should move fast, and aggressively.

Since the start of the year a rumour has been swirling that Facebook has been using a then-and-now facial recognition photo-sharing challenge to collect data about users and improve its AI algorithms. The social network denies it started or is involved with the challenge. 

That people suspect Facebook of being involved, and that the rumour went viral, is indicative of the suspicion with which the company is held since its flaccid approach to privacy became widespread public knowledge.

Multiple data privacy violations

These suspicions are not new. There was the row over Facebook’s Beacon user-tracking service in 2007, concerns about facial recognition, a bungled psychological experiment into the moods of its users, and run-ins with the US FTU, ACLU and privacy commissioners in multiple jursidictions over many years.

According to Google, there has been considerable public interest in privacy (mostly as a proxy for internet and/or data privacy) for many years.

Google: Data Privacy News Trends


Facebook had plenty of time to tackle the problem and prepare a meaningful response. The Guardian’s initial story in December 2015 about the covert harvesting of user data by Cambridge Analytica did not ignite until whistle-blower Christopher Wylie lifted the lid on Cambridge Analytica twenty-six months later.

Yet they did little to address the core of the privacy issue, Mark Zuckerberg disappeared as soon as the story ran, and Facebook’s value dropped USD 119 billion in a single day. Zuckerberg hardly helped matters by refusing to appear before the UK DCMS Enquiry into Disinformation and ‘Fake News’.

How did Facebook fail to anticipate a major privacy crisis when the writing had been on the wall for so long? Were its leaders truly ignorant and out of touch, or simply failed to act substantively on the many warning signs? Why did they behave the way they did? Was Facebook’s experience isolated, or consistent with other reputational meltdowns? 

Reputation risk management

These are the kinds of questions posed by lawyer Anthony Fitzsimmons and insurance expert Derek Atkins in their book Rethinking Reputational Risk, in which they get to practical grips with the notoriously knotty, slippery topic of reputation risk management.

Rethinking Reputational Risk

Drawing on analysis of recent high profile crises such as BP’s Deepwater Horizon spill, Barclays’ LIBOR rigging, Tesco’s false accounting, and the VW diesel emissions scandal, the authors argue that the problem lies in the complexity of many modern businesses, the emergence of multiple online ‘unseen systems’, fast-changing stakeholder behaviours, inadequate listening, issues management and crisis preparedness, and an unwillingness to get to the root problem of problems and failures, chiefly due to over-confidence, complacency and hubris.

All this sounds familiar. But the book comes into its own when it addresses the failure of ‘classical’ risk management and the three/four line of defence model, which is regarded as overly rigid and ill-suited to handling the many and varied behavioural risks, from weak culture and values and inappropriate incentive schemes, to the blurring of personal and professional lives and the character and personality traits of senior leaders.

The authors rightly argue that reputation risk is first and foremost a leadership responsibility, and too often it is at Board level that things fall down. Board failures were involved in 50% of the 42 crises studied.

Why?

Because Boards are essentially self-selecting, and overly reliant on people with financial and operational experience, as opposed to the forensic, analytical, behavioural and digital skills that are required in today’s globalised, networked and inherently volatile economies. There is much in this.

Since concerns about Facebook’s approach to privacy first started emerging several years before its murky dealings with Cambridge Analytica came to light, Mark Zuckerberg and Sheryl Sandberg have admitted that they should have taken user privacy far more seriously.

The important question on why they didn’t heed the warning signals earlier appears to have a single plausible answer: user privacy was regarded as a price worth paying for growth, and they would make the most of it while the sun shone and regulators, politicians, customers and the general public had more important fish to fry.

Mark Zuckerberg may insist he is personally responsible for Facebook’s privacy lapses, but Facebook’s board is also responsible and must prove itself equal to the task of fixing the holes properly, and holding its CEO to account. Its members would do well to read Fitzsimmons and Atkins’ excellent book.

Meantime, Facebook must shoulder part of the blame for the many rumours about it – be they accurate, misinformed, or plain false.


A series of vague and apparently contradictory statements have marked Cathay Pacific’s public response to its recent data breach – the world’s largest airline data privacy incident.

While the extent of the damage to the company and its reputation remains unclear, the breach has been described by Cathay’s Chairman as ‘one of the most serious’ the airline has faced, and that its response would be ‘different’ tomorrow.

What can be learned from the airline’s fumbled response?

First, the backstory: late one evening Cathay acknowledges a ‘data security event’ affecting 9.4 million customers that it claims to have acted to contain ‘immediately’. A torrent of negative coverage and plenty of speculation about the state of the firm’s IT security quickly ensues. Journalists and customers complain that Cathay is not responding to phone calls or emails.

The following morning Cathay admits that it had been aware of suspicious behaviour on its network for a three month period starting March, prompting an avalanche of questions from worried customers and bemused regulators and politicians about why it had taken so long to inform its customers. CEO Rupert Hogg takes to the media and video to defend his firm.

Three weeks later, Cathay submits a statement (pdf) to Hong Kong lawmakers confirming the attack had intensified over a three month period and that it had known in August that passenger data had been accessed and/or stolen. Cue a third wave of hostile coverage, this time questioning the company’s honesty and transparency. Lawmakers accuse the company of orchestrating a cover-up.

(Business Traveller has a useful timeline of the incident).

Making inaccurate or inconsistent statements during a data privacy incident is easily done when facts are thin on the ground and the media is breathing down one’s neck.

Top data breach communications pitfalls

Based on my experience, here are the top five communications mistakes organisations make when responding to a data breach – the first and most damaging of which is zero communication:

  1. Concealing a breach. Until recently, most data breaches were not made public. GDPR and other data privacy laws now mean organisations must notify those impacted and the relevant authorities about a breach. Yet some will try to bury it from public view. As Uber and Yahoo! can testify, a cover-up is seen as worse than the breach itself. Substantial fines may appear a good deterrent to concealment, but research shows the longer-term reputational damage can be more significant.
  2. Confirming a breach too slowly. Cathay Pacific took three months to delay formal notification in order to contain the attacks and to determine what data had been lost and who has been affected. But organisations in many jurisdictions are now obliged to notify regulators quickly, and customers now expect to be informed quickly, and view organisations that are seen to move too slowly as unprofessional, clueless, or with something to hide.
  3. Providing inaccurate facts or data. Cathay Pacific may have waited until it was sure of the facts and numbers, yet many organisations now quickly go public about a breach to meet their regulatory obligations, or under pressure from a third party, and then have to revise their statements as the facts become clear (eg. Dixons Carphone revising upwards the number of records involved in its 2017 data breach from 1.2 million to 10 million). This creates additional negative news cycles, and creates a perception of amateurism at best and willful obfuscation at worst.
  4. Downplaying a breach. It is tempting to claim that the sensitivity and scope of the data and systems involved in a breach are limited, or that the impact on the company and those affected is minimal. But such statements can easily come undone as the full extent of the intrusion comes to light, leaving you looking irresponsible or worse.
  5. Providing inadequate media support. Cathay chose to push out its bad news late in the evening and send its teams home. But little irritates journalists more than an unmanned communications team or unresponsive senior management, and senior executives unable or unwilling to provide a human face to something that has already been confirmed publicly by the company.

Every organisation is advised to avoid these pitfalls wherever possible.

Cathay’s CEO may have promised the airline would respond differently to future breaches, but he did not elaborate how.

Notifying regulators and customers more quickly is an obvious starting point.

Careful thought should also be given to the openness, transparency, tone, consistency and ownership of its’s statements, amongst other factors.

%d bloggers like this: