Shutting the stable door: handling data security breaches in social media
Imagine waking up to an exposé of your firm’s supply chain: you’ve been indirectly responsible for supporting child labour on an industrial scale. NGOs are mobilising a campaign. A leading celebrity has already tweeted her disgust. Or the email that pings your BlackBerry on a Sunday morning confirming that environmental regulators have picked up a sustained breach of emissions standards from your production facility, polluting a natural park and triggering a multi-million dollar class action lawsuit.
The stuff of corporate communication nightmares, for sure.
But recently, we’ve found ourselves helping a number of different partners and their clients work through a scenario that feels like a simple, technical oversight but research shows, would drive 70% of consumers to actively avoid a brand: data loss.
Data from researchers Ipsos-MORI found that 70% of consumers would seriously consider avoiding a company found to be failing to keep customer data safe – higher than for a firm discovered to be exploiting workers overseas, (53%), overcharging customers (51%) or causing environmental damage (49%).
In practice, organisations which lose data face some real challenges communicating the bad news well. Home Depot allegedly took several weeks to identify and email the 56m customers affected by a hack which targetted customer credit cards. Likewise, it took Sony over a week to publicly acknowledge a massive breach of its PlayStation network in 2011, and years later regulators were still criticising the firm for ‘avoidable’ lapses in password security.
These types of situation demonstrate the speed and power of social media in a crisis, where customers and security bloggers, traditional journalists and regulators come together and stories of this kind are difficult to control.
So, aside from strong IT safeguards and compliance, what can do you to put yourself in the best possible position to protect your reputation in these situations when the proverbial horse has bolted?
- Make friends with the stable door. Speed is a particular challenge in these situations, and practising your links with colleagues in IT, audit and legal is vital to ensure the roles are clear and you can mobilise as a team rapidly. You need to be able to establish the facts and – crucially – share them with customers, quickly. Colleagues in other functions may have regulatory compliance at front of mind, but that can’t come at the expense of timely communication with the wider world.
- What was the stable door like anyway? Silence goes down badly with the online audience, who invariably fill the void with speculation and amateur sleuthing. Ahead of time, work with your corporate colleagues to identify what you can safely share about your policies and recommended good practice in terms of data security, so that while you’re establishing the extent and impact of a breach, you have some material to work with for corporate communication. Apply common sense and empathy: there’s nothing worse than a brand trotting out banalities about commitments to customer privacy when Twitter is awash with stories of the opposite. What hard facts and reasons to believe can you share?
- What should folks do around loose horses? Home Depot offered affected customers 12 months of free credit protection services and advice on staying safe online. WordPress.com reset 100,000 users’ passwords as a pre-emptive step after 5m Gmail passwords surfaced online. Customers will be looking for your frontline social media channels to be helping them establish if they’ve been affected, providing advice on what they need to do next, and taking pre-emptive steps to protect them – as well as providing reassurance that the team is dealing with the technical side of the breach itself.
There’s no avoiding the fact it’s going to be a difficult few weeks for the organisation, but showing humanity and responsiveness though corporate channels could make the difference between retaining loyal customers and suffering a mass exodus and earning the wrong kind of reputation for security and competence.
Follow @socialsimulator and let us know what you think