Tips for managing your reputation after a data breach

Published on Thu, 01/08/2019 - 15:59

Surveys show that customers are more concerned about the security of their personal data than ever before. All organisations are vulnerable so having a robust response plan in place is vital for regaining trust in the event of a breach. Sarah Hewitt from Gallagher and Ciaran Simms from Travelers Insurance offer practical advice.

In an age when a negative post can go viral and a video can reach millions of people in a few hours, reputation management is moving to the forefront of corporate concerns. Brand reputation is valuable to companies because customers see this as representing positive attributes that build trust - and trust leads to sales.

Unfortunately, the opposite is also true. When a brand becomes associated with negative messages, the damage in the marketplace can be extensive.

Increasingly, data breaches can create negative attention for a company, often leaving customers believing that their information has been mishandled because of corporate indifference.

A 2012 Financial Times article pointed to the growing sensitivity of customers, alluding to a survey by PR firm Edelman which found that 70% of customers are more concerned about data security and privacy than they were five years ago, and 85% think that companies need to take protecting data more seriously than they do.

If your company collects and stores data, a data breach is always a distinct possibility.

Consider the following statistics:

  • In PWC’s Global State of Information Security Survey 2018, it was found that over a quarter of businesses (28%) were unaware of how many cyber attacks had taken place.
  • The same survey found that a third of businesses did not have knowledge of how the cyber attacks took place.
  • On average, 19 hours of business would be lost after a cyber attack.

Companies hitting the headlines because they have been victims of data breaches are almost too numerous to mention.

Examples include:

British Airways was recently fined £183m after hundreds of thousands of customers’ credit card details were stolen - including the number, expiry date, three digit security code or ‘card verification value’ (CVV). Under the General Data Protection Regulation (GDPR), BA’s fine represents 1.5 per cent of their worldwide revenue in 2017.

Not all data breaches are due to malicious hacks. Marks and Spencer apologised to customers after its website experienced a technical error that allowed customers to see each other’s personal details.

Marriot International hotel group was involved in a data breach when a hacker stole information of up to 500 million customers.

Yahoo admitted it had been hacked three years ago, and 3 billion of its records had been breached with all users being affected.

What can companies do to protect their reputation in the face of data breaches?

Many experts agree that the most effective protection for your reputation is to consistently follow best practices when conducting your business. However, bad things can happen to good companies - especially when it comes to data integrity in an era of hacking, viruses, spyware and malware. Therefore, it is important to be prepared.

  1. Assess your risks: understand the risks to your reputation from a data breach.
  2. Form a response plan: create a plan for handling a breach event, including creating a Breach Response Team. If a data breach occurs, what steps will the company take first? Who will notify authorities, handle the media and liaise with customers? What resources are available to handle the extra workload and provide the expertise to address the situation? Think of the questions you will be asked by your customers following a data breach e.g:
  • What action is the business taking to help affected people?
  • How can customers get more information?
  • What type of data was breached?
  • What steps are being taken to make sure it does not happen again?
  • What are the next steps, and how will the company keep customers informed?

The plan should lay out timelines and responsibilities so that key decisions do not have to be made in the heat of the moment.

  1. Build relationships: to avoid a steep learning curve in the midst of a crisis, develop relationships in advance with companies who can provide reputation management assistance.
  2. Transfer your risk: as for any other type of risk, a company should look for ways to transfer the risk of suffering a data breach. Many types of insurance today include coverage for cyber incidents. Look for a policy that pays for reputation management and PR services.

A data breach can cause the erosion of a brand and the consequences for businesses, such as a lack of trust and loss of customers, need to be kept in mind. To help manage and mitigate these risks, it is critical to formulate a plan and be prepared.

Sarah Hewitt is director in the Major Risks Practice of Gallagher.

Ciaran Simms is a technology underwriter with Travelers Insurance.