It takes many good deeds to build a reputation… and only one data breach to lose it
People care about what happens to their personal information. Awareness of identity theft and personal privacy has never been higher, and employees and customers expect organisations to be responsible caretakers of their own and other people’s information.
Getting data protection right is not only an obligation under law but it should be central to an organisation’s reputation management. Indeed, with the media giving increased coverage to data loss stories, it has become one of the biggest threats to corporate reputation. But often, it’s not necessarily the data breach that damages reputation but the way in which the breach was managed. Companies and organisations often spot the issue too late and respond inadequately, and there can be a lack of clarity and transparency about how the breach is being managed.
Game-changing legislation is on the way
The sense of invasion or the anxiety that data loss can cause should never be underestimated, and as hackers increasingly become more sophisticated and organised, the risks get higher. So too does the regulation.
In May 2018, there will be an overhaul of European data protection law that is going to impact everyone, and will set the standard. This game-changer law, the EU General Data Protection Regulation, aims to put control of data back in the hands of the individual and harmonise rules across the EU. There will be severe fines for non-compliance, and when customers start taking their business elsewhere because of the breach, it will be a further significant blow.
With organisations having just over a year to plan for implementation, preparation for compliance should begin without delay. In Ireland, the ‘data capital of Europe’, companies are particularly sitting up and taking notice. More than 30 data centres and the headquarters of the biggest internet giants on the planet are based here.
The Irish Government has prioritised this issue. Ireland was one of the first countries to put in place a dedicated Minister for Data Protection, and a highly-resourced Data Protection Commission, in line with the many born-on-the-internet brands making Ireland their home
A well-managed response can engender trust
It is essential that all possible measures are put in place to try and prevent a breach. Companies that fail to keep personal data safe risk long-lasting reputational damage; according to a 2016 YouGov poll in the UK, eight out of 10 people would think twice about giving their custom to an online company that had made headlines for failing to stop a security breach.
Boardrooms also recognise the reputational risks associated with data breaches. Gregg Steinhafel, CEO and Chairman of US company Target, was forced out of his position in the wake of a data breach affecting millions of customers. It represented the first sacking of a Fortune 100 company head in response to a major cyber incident.
If a breach does occur, the crisis must be handled properly, quickly and transparently. Organisations should consider taking the following actions:
Swift, decisive and convincing
- Gather the facts - detect the source and scale, and ring-fence the breach.
- Gather a crisis response team which ideally will already have been set-up, allowing for a coordinated and consistent approach.
- Ensure a media trained data protection official has the necessary information to explain the situation clearly.
Accountability and understanding
- A swift recognition of the issue and reassurance to those affected that everything is being put in place to resolve or investigate the breach, is key.
- Communicate quickly and accurately and provide the media with as much information as possible. Be factual and don't speculate.
- Examine what the different stakeholders think and feel about the breach and keep them updated.
- Create a recovery plan – assess the risks moving forward, update your information security and regularly inform those affected on changes implemented.
In essence, there is nothing worse than a customer who has been affected finding out about it through the media before you’ve had a chance to notify them. Retaining control of the crisis and the communications in the early stages of the breach can help to ensure that reputational risks are mitigated.