Recent data thefts from Target and Snapchat illustrate why communications professionals need to be fluent in online security issues and have a rapid-response team in place.
Image-sharing app Snapchat enjoyed a meteoric rise in 2013, but on the last day of the year, it suffered a security breach that resulted in the data of 4.6 million users leaking online.
Such breaches are common these days, as consumers share more personal and financial data with corporations. They also affect small and large companies alike – Target is another high-profile company to have been hit recently. Just Friday morning, the Minneapolis-based retailer revealed that a holiday shopping season data breach affected 70 million customers, nearly twice as many as was previously thought.
With the issue becoming more pressing for communications professionals, the media spotlight is on how they react as much as the security concerns themselves.
For instance, Snapchat was criticized for its slow response to the crisis and failure to apologize until Thursday, January 9.
Companies that find themselves in such a position should come clean “as quickly as possible,” says Jason Mandell, partner and cofounder at LaunchSquad.
“It must apologize and acknowledge that something went wrong,” he adds. “The first statement [Snapchat] issued sounded like a robot wrote it – it was so inauthentic. It should have said, ‘We messed up. We are a young company and we'll make sure this stuff doesn't happen again.' Just tell the truth and people will understand.”
Mandell explains that in its statement, Snapchat gave “too much” of the “wrong” kind of information, detailing the technical reason for the breach in ways users may find uninteresting or difficult to understand.
Sean Garrett, cofounder and partner of The Pramana Collective, says companies should respond to a data breach proactively and with all available information about what, if any, sensitive consumer information was taken. They must also discuss the steps the company is taking to redeem it and what consumers should do to protect themselves, such as changing passwords or checking bank statements.
Of course, the approach to such a crisis varies for companies depending on their size. “For young Internet-based companies, you need to think through who all your audiences are and where you fit into the current Zeitgeist,” Garrett explains.
“If you are a hot company with a high valuation, but still only have a small number of employees, you need to recognize that while your place of work may feel very much like the loose-knit startup, your actions will not only be judged by consumers, but by media who have never used your product and by policymakers looking to protect consumer privacy,” he says.
Garrett suggests companies that require a high level of consumer trust should be proactive in engaging the hacker community.
“When an exploit hits, all of this work will both help with a response and you will have built a base of goodwill in the security community,” he says.
Target, which suffered a breach during the holiday shopping season that led to unauthorized access to payment-card data for millions of its customers, created a landing page on its A Bullseye View blog with behind-the-scenes content to explain how it is addressing the situation. It has also used its corporate site as a resource for official news and information on the data leak.
Target said it could not comment on its response to the breach.
Leigh Nakanishi, senior data privacy and security strategist at Edelman, points out that data breaches are often complex and varied, so it is essential communications professionals have an understanding of security issues.
For example, a data breach could be disclosed in the media well before a company has many of the details about how the incident happened or the legal requirements. The tone of the response could also fluctuate significantly depending on what data was lost and how the compromise happened, Nakanishi adds.
He advises a “cross-functional alignment across legal, communications, and technical security teams and establishing a regular cadence of meetings to deal with the complexity of security breaches.”
“Ideally this process would be established in a security-response plan that is documented and practices in advance of a real incident,” Nakanishi says.
He also points out that often some details of how an attack happened must be held back because of an ongoing investigation by law enforcement, but the communications team should develop a holding statement that can be used in the event of a leak.
Amanda Munroe, VP at Shift Communications, agrees that if a breach occurs, companies should form a cross-departmental team to develop a plan of action.
“This process will help with prioritization and create a timeline, as well as designate company owners for certain tasks, such as alerting customers and partners, determining a media communications plan, and investigating why a breach occurred,” she explains.
Munroe adds that this team should work together throughout the investigation so that new information is shared “internally and externally when relevant and necessary.”
“As the investigation unfolds, more information may become available,” she says, “and some of that should be shared with customers.”