The Federation Against Copyright Theft (FACT) has fought a uphill battle for decades to convince consumers that video or music privacy isn’t a victimless crime. Even those of us who understand exactly what they mean, aren’t always quick to condemn the pirates (on whatever scale they act).
There is however one crime that is one the rise, where the victim is usually the one blamed (rather than the criminals), where the costs to the victim can be monumental and where the impact on the victim’s brand can be disastrous – it is hacking.
To make matters worse the tried and tested crisis management techniques used in all other crisis, which focus on containment, simply won’t work with a hacking incident or data breach. This is because the new data privacy regulations (GDPR) mandate prompt and wide disclosure.
Let’s consider just how different a hacking incident or data breach is from a more physical crisis:
Physical Crisis
Bank Robbery |
Physical Crisis
Fire caused by staff |
Digital Crisis
Hack & Data Breach |
|
Incident | |||
Criminality | Criminal action by a third party | Possibly criminal or negligent action by members of staff | Criminal action by a third party |
Responsibility | We did all we could to ensure physical security but nothing is ever 100% secure | We did all we could with recruitment and training to prevent such actions, but it can still happen | We did all we could to ensure data security but nothing is ever 100% secure |
Response | |||
Containment | The bank robbers won’t be publicising their actions and police will focus on investigation, so containing the issue is entirely possible | If there is likely to be criminal prosecution, then there is a limit to what detail can be shared publicly – so containment is likely | There is a mandatory obligation to inform the regulators and impacted customers within 3 days. Containment is impossible |
Blame | The media and public opinion are likely to focus on the bank robbers as the villains and have sympathy for the bank and its staff | The media and public opinion are likely to focus on the actions of the employee and have some sympathy for the company impacted | The identity of the hackers is unlikely to be known. The media and public opinion will put the blame on the victim instead – your company |
Whether or not a physical crisis results from the criminal actions of your own staff or of a third party, containment is typically a possibility and as the victim you are unlikely to be the main focus of blame. There are also very few incidents that will have an impact on consumer trust in your brand. People won’t stop using a particular bank if one of its branches gets robbed. The bank’s insurance premium may rise and this may be passed indirectly on to its customers, but they experience no personal impact or emotional connection here.
Conversely with a digital crisis, containment is typically impossible (due to the mandatory disclosure obligations). And even if you took all feasible measures to prevent the breach, you will still be seen as having failed to protect your data and will therefore be the main focus for any blame. Also as the party being blamed, your credibility will be at an all-time low, and your ability to counter the inevitable hysteria and misinformation that will follow any breach, will be minimal. Whether all your customers are directly impacted or just a subset, and whether or not this leads to direct financial loss, all you’re your customers will feel an emotional connection and may reconsider trusting you with their data any further in future. There will consequently be an immediate and a long-term impact in the level of consumer trust in your brand. Much of the brand damage may well even be caused by any hysteria and misinformation that your failed to counter as the story exploded.
This may all sound unfair. It probably is. You just need to be ready to deal with it.
Important points to understand:
You need to adopt a different approach, We can help!