A recent spate of customer-data leaks is creating a new kind of crisis communication.
August 4, 2005, was a significant day for the PR team at LexisNexis. After months of unremitting media attention, that summer day marked the first time a story didn't run somewhere about an information security breach discovered in March at Seisint, then a recently acquired part of the company.
"March through June was pretty much a blur," as the company implemented a crisis communications plan to deal with the problem, recalls Steve Edwards, LexisNexis' director of corporate communications.
Incidences of hacking into computer systems that house personal data have become big stories this year as personal information increasingly flies through cyberspace and more criminals see an opportunity to profit from stealing it.
In June, for example, MasterCard International reported a security breach at a vendor it uses to process payments that could have exposed more than 40 million cards to possible fraud. Roughly 13.9 million of those were MasterCard-branded offerings.
Earlier on in the year, LexisNexis had discovered that intruders had used passwords and IDs of legitimate customers to access personal information about other people in Seisint's database. Ironically, it uncovered this during an internal review following the media cover- age of data-security breaches at Georgia-based data warehouse ChoicePoint.
Before going public with the problem, LexisNexis' communications team held focus groups in two cities in March and did phone surveys testing possible key message points it would use when talking about the problems it had found.
"We wanted a better gauge of what people who might be impacted would think," says Mary Dale Walters, VP of global marketing and communications. Results were shared with the company's government affairs team which was dealing with Congressional calls for new legislation.
On March 9, the company announced the first problem it had found. The following week, it mailed notifications to 32,000 individuals.
Its next major announcement came April 18. A second round of mailings went out to 280,000 people who may have been affected. The main message: "We have bought a problem [through the Seisint acquisition] and we'll fix it," Walters says. LexisNexis offered such services as a year of free credit monitoring to show it was concerned about people's financial well-being. Of the more than 310,000 people notified, 18,000 took advantage of the offer.
A special website went up detailing services available and toll-free numbers were activated for consumers to call. Press materials, such as Q&As, were prepared. The company brought in Creative Response Concepts (CRC), an Alexandria, VA, firm, to help in Washington as Congressional hearings about data safety took place.
Internally, sites were established to communicate with employees and manager meetings were held. Influencers within Seisint's Boca Raton, FL, workforce were called to find out how staff morale was holding up during the crisis.
A senior team that included Walters, the company's CEO, and the heads of the legal and IT departments began meeting weekly in February, but switched to daily meetings by the end of that month and kept those up through mid-June, even working weekends during March and April.
Constant communication was kept up with LexisNexis' parent company, Reed Elsevier, in London. Reed actually made the first March announcement in London at 2am EST, and handled IR issues from there. One of CRC's duties was to monitor initial media reaction to that announcement.
Finding words that accurately conveyed what had happened became a major part of the communications challenge, Walters says.
"We wanted to be clear this wasn't about hacking," as that term raises issues about a system's overall security, she notes. She also had to explain to media that customers were not the same as individuals since LexisNexis works with business customers. An early story out of London used the term 32,000 customers, which wasn't accurate. It should have read 32,000 individuals.
When media inaccuracies appeared, "we were particularly aggressive about going after corrections," Walters says.
Constantly assuring consumers
Like others who have faced similar situations, LexisNexis realizes that in addition to addressing the problem, it also must do more in the future to tell consumers that it is doing everything possible to ensure the safety of their personal information. While media coverage has finally abated, LexisNexis isn't done talking about data security. "We're in the fourth phase of what's at least a five- or six-phase communications strategy," says Walters.
James Lee, CMO with Georgia-based data warehouse ChoicePoint, which faced its crisis in February, agrees.
"We must make the public more aware of what we're doing, and how and why we do it," he explains.
ChoicePoint conducted media research after its problem surfaced and found 94 incidents of data security breaches reported on since January. So any company that holds consumer information and thinks it needn't worry about the topic had better think again.
That means not only having a crisis communications plan ready, but adapting it to particular requirements of an information security breach. Those include having open, active lines of communication between PR, information technology, and legal staffers so that computer jargon can be quickly and accurately translated into statements the public understands and the company can live with from a legal standpoint.
It also means taking into account all possible stakeholders, even those - as in the case of ChoicePoint - that companies might not ordinarily deal with directly. And it means being prepared to deal with angry consumers, regulators, and others impacted. Having methods in place for customers to give feedback is key to showing a company cares about stakeholders, crisis experts agree.
The University of North Texas went so far as to bring in crisis counselors to talk to the people manning its phone bank after it notified 38,607 current, former, and prospective students in early August that some of their personal information might have become available to unauthorized people.
While the school had no actual evidence student information had been stolen or misused, "we felt we had to act as if that were the case," recounts Deborah Leliaert, VP for university relations, communications, and marketing.
Time is of the essence
Waiting to see if a breach turns into identity or data theft can cost a company valuable time and paint it as an entity trying to cover up rather than communicate with its publics, says Jonathan Bernstein, founder of Bernstein Crisis Management in Moravia, CA.
ChoicePoint turned on a dime when its problem broke in an MSNBC story on February 14. By the second week of coverage, its crisis team was in place. The company hadn't made an announcement of its problem, which involved a group of Nigerian identity thieves buying personal information from it under false pretenses. Instead, it first sent letters to those possibly affected while it cooperated with legal authorities looking into the matter. Some have criticized the company for waiting to make a public announcement, but Lee defends the decision, explaining that he would have not been able to comment further if he had announced the problem earlier because of the investigation.
"You can only tell people so many times to call the police department for information," he argues. He adds that a California law requiring customer notification when a breach has occurred makes an exception when an investigation is underway. At the time the ChoicePoint issue arose, that was the only law in the country mandating customer notification in such a situation.
In recent days, ChoicePoint has been talking about the variety of steps it has taken to improve its data security. In June, for example, it announced the hiring of Ernst & Young to do a best practices study and help it create privacy, credentialing and compliance practices.
"The number-one lesson here is that these are very complicated issues that don't lend themselves to easy answers," Lee advises.
Timeline of a crisis
urging of some attorney generals who feel consumers may be ignoring them.