Safeguarding reputation

A recent spate of customer-data leaks is creating a new kind of crisis communication.

A recent spate of customer-data leaks is creating a new kind of crisis communication.

August 4, 2005, was a significant day for the PR team at LexisNexis. After months of unremitting media attention, that summer day marked the first time a story didn't run somewhere about an information security breach discovered in March at Seisint, then a recently acquired part of the company.

"March through June was pretty much a blur," as the company implemented a crisis communications plan to deal with the problem, recalls Steve Edwards, LexisNexis' director of corporate communications.

Incidences of hacking into computer systems that house personal data have become big stories this year as personal information increasingly flies through cyberspace and more criminals see an opportunity to profit from stealing it.

In June, for example, MasterCard International reported a security breach at a vendor it uses to process payments that could have exposed more than 40 million cards to possible fraud. Roughly 13.9 million of those were MasterCard-branded offerings.

Earlier on in the year, LexisNexis had discovered that intruders had used passwords and IDs of legitimate customers to access personal information about other people in Seisint's database. Ironically, it uncovered this during an internal review following the media cover- age of data-security breaches at Georgia-based data warehouse ChoicePoint.

Before going public with the problem, LexisNexis' communications team held focus groups in two cities in March and did phone surveys testing possible key message points it would use when talking about the problems it had found.

"We wanted a better gauge of what people who might be impacted would think," says Mary Dale Walters, VP of global marketing and communications. Results were shared with the company's government affairs team which was dealing with Congressional calls for new legislation.

On March 9, the company announced the first problem it had found. The following week, it mailed notifications to 32,000 individuals.

Its next major announcement came April 18. A second round of mailings went out to 280,000 people who may have been affected. The main message: "We have bought a problem [through the Seisint acquisition] and we'll fix it," Walters says. LexisNexis offered such services as a year of free credit monitoring to show it was concerned about people's financial well-being. Of the more than 310,000 people notified, 18,000 took advantage of the offer.

A special website went up detailing services available and toll-free numbers were activated for consumers to call. Press materials, such as Q&As, were prepared. The company brought in Creative Response Concepts (CRC), an Alexandria, VA, firm, to help in Washington as Congressional hearings about data safety took place.

Internally, sites were established to communicate with employees and manager meetings were held. Influencers within Seisint's Boca Raton, FL, workforce were called to find out how staff morale was holding up during the crisis.

A senior team that included Walters, the company's CEO, and the heads of the legal and IT departments began meeting weekly in February, but switched to daily meetings by the end of that month and kept those up through mid-June, even working weekends during March and April.

Constant communication was kept up with LexisNexis' parent company, Reed Elsevier, in London. Reed actually made the first March announcement in London at 2am EST, and handled IR issues from there. One of CRC's duties was to monitor initial media reaction to that announcement.

Finding words that accurately conveyed what had happened became a major part of the communications challenge, Walters says.

"We wanted to be clear this wasn't about hacking," as that term raises issues about a system's overall security, she notes. She also had to explain to media that customers were not the same as individuals since LexisNexis works with business customers. An early story out of London used the term 32,000 customers, which wasn't accurate. It should have read 32,000 individuals.

When media inaccuracies appeared, "we were particularly aggressive about going after corrections," Walters says.

Constantly assuring consumers

Like others who have faced similar situations, LexisNexis realizes that in addition to addressing the problem, it also must do more in the future to tell consumers that it is doing everything possible to ensure the safety of their personal information. While media coverage has finally abated, LexisNexis isn't done talking about data security. "We're in the fourth phase of what's at least a five- or six-phase communications strategy," says Walters.

James Lee, CMO with Georgia-based data warehouse ChoicePoint, which faced its crisis in February, agrees.

"We must make the public more aware of what we're doing, and how and why we do it," he explains.

ChoicePoint conducted media research after its problem surfaced and found 94 incidents of data security breaches reported on since January. So any company that holds consumer information and thinks it needn't worry about the topic had better think again.

That means not only having a crisis communications plan ready, but adapting it to particular requirements of an information security breach. Those include having open, active lines of communication between PR, information technology, and legal staffers so that computer jargon can be quickly and accurately translated into statements the public understands and the company can live with from a legal standpoint.

It also means taking into account all possible stakeholders, even those - as in the case of ChoicePoint - that companies might not ordinarily deal with directly. And it means being prepared to deal with angry consumers, regulators, and others impacted. Having methods in place for customers to give feedback is key to showing a company cares about stakeholders, crisis experts agree.

The University of North Texas went so far as to bring in crisis counselors to talk to the people manning its phone bank after it notified 38,607 current, former, and prospective students in early August that some of their personal information might have become available to unauthorized people.

While the school had no actual evidence student information had been stolen or misused, "we felt we had to act as if that were the case," recounts Deborah Leliaert, VP for university relations, communications, and marketing.

Time is of the essence

Waiting to see if a breach turns into identity or data theft can cost a company valuable time and paint it as an entity trying to cover up rather than communicate with its publics, says Jonathan Bernstein, founder of Bernstein Crisis Management in Moravia, CA.

ChoicePoint turned on a dime when its problem broke in an MSNBC story on February 14. By the second week of coverage, its crisis team was in place. The company hadn't made an announcement of its problem, which involved a group of Nigerian identity thieves buying personal information from it under false pretenses. Instead, it first sent letters to those possibly affected while it cooperated with legal authorities looking into the matter. Some have criticized the company for waiting to make a public announcement, but Lee defends the decision, explaining that he would have not been able to comment further if he had announced the problem earlier because of the investigation.

"You can only tell people so many times to call the police department for information," he argues. He adds that a California law requiring customer notification when a breach has occurred makes an exception when an investigation is underway. At the time the ChoicePoint issue arose, that was the only law in the country mandating customer notification in such a situation.

In recent days, ChoicePoint has been talking about the variety of steps it has taken to improve its data security. In June, for example, it announced the hiring of Ernst & Young to do a best practices study and help it create privacy, credentialing and compliance practices.

"The number-one lesson here is that these are very complicated issues that don't lend themselves to easy answers," Lee advises.

Timeline of a crisis

  • LexisNexis had its first day without reports of its crisis on August 4, 2005. Below is a timeline of some of the events that led up to that date.

    February

  • LexisNexis sees competitor ChoicePoint in the news for a data security issue, begins discussing how it should respond to related media calls. Opts to provide only background information.

  • LexisNexis unveils a data-security problem of its own. Crisis team begins meeting weekly, shifts to daily by month's end as a problem is discovered.

    Early March

  • Knowing it has a data security issue, LexisNexis contacts focus groups and conducts phone surveys to test message points and gauge consumer concerns.

    March 9

  • Parent company Reed Elsevier announces LexisNexis has found a problem that could affect 32,000 individuals.

  • London announcement by Reed at 2am EST is watched by LexisNexis agency CRC to monitor media reaction.

  • Letters are sent to the 32,000 individuals. Notices are re-mailed at

    urging of some attorney generals who feel consumers may be ignoring them.

  • Legislators and state regulators are brought into the communications loop about steps the company is taking.

    April 18

  • After an ongoing investigation, the company announces 310,000 individuals may have been affected. Letters go out to those impacted, specifying which types of personal information may have been compromised.

  • A package of services is offered to those affected, including free credit monitoring for a year. A website provides details.

  • Toll-free numbers are used to take consumer complaints.

  • Internal communications uses website, meetings, and phone calls to offer information and monitor staff morale.

  • Media calls reach 650 a day in initial coverage. CEO is made available for interviews with five key media outlets plus hometown papers in LexisNexis' headquarters city of Dayton, OH, and Boca Raton, FL, where Seisint is based.

  • Media monitoring for coverage continues into August.

  • Have you registered with us yet?

    Register now to enjoy more articles and free email bulletins

    Register
    Already registered?
    Sign in

    Would you like to post a comment?

    Please Sign in or register.