Can a data breach help your brand? It seems like a provocative thought as we have seen too many companies’ reputations tarnished by a breach. In reality, no two breaches tell the same story, and how a company reacts and responds to a breach is what will be remembered.
By now, we have all grown used to hearing that it is not if, but when an organization will be breached. As individuals, we have grown accustomed to this sort of breaking news, and we probably have all been personally impacted by one. For an enterprise, however, one of the critical things after a breach is not only how quickly it can mitigate it, but how well it communicates the damaging news to customers and the public. A data breach may not sink a brand, but a response to a data breach may well do that.
The stigma associated with a breach is not nearly as strong as it was four or five years ago. Most of the data breaches that make and stay in the headlines are the ones where the company’s response was questioned and its communication criticized. Yahoo! took a lot of heat after its series of breaches, mostly in terms of how lax it was in its approach to cybersecurity. A password reset was not made mandatory, and communication was vague and tardy.
It is human nature to not want to spread bad news. In the case of a breach, it is also challenging to communicate what happened simply because the company itself may not yet know what happened. The impacted organization needs to investigate when the breach started, how it happened and, more importantly, what data was stolen or compromised and whether that data is of sensitive nature, such as personal identifiers, credit card information, health records or even tax records. In many cases, companies learn about being breached through a third party alerting them that some of their data is for sale on the Dark Web. Sometimes these third-party investigators publish the news with little notice for the company to react. And in some cases, companies will wait to alert their customers after being notified.
This may not feel like fair game. So how on earth can a data breach help a brand?
The (Positive) Brand Impact Of A Data Breach
With data breaches being so common today, organizations should start looking at them as an opportunity to interact closely with customers. Transparency is critical to turning what can be a very negative impact on the brand into a positive one. Even if the breached organization doesn’t have all of the details at its fingertips to answer the who, what, when, where and why of a breach, openly and swiftly acknowledging that a breach has occurred will go a long way in keeping consumer trust intact. It can keep that transparency going by sharing regular updates on the forensics investigation itself and on the steps being taken to ensure a breach will not happen again.
When it comes to a data breach, it is not just about communication; it is about culture and commitment to customers. Companies that clearly put their customers first will always come back with a stronger reputation. Home Depot is a good example of this: It was extremely proactive in its response, alerting customers even before they had a chance to fully confirm the breach.
You’ve Been Breached — Now What?
There are many steps to take to mitigate and shut down a breach once it’s happened, and every organization should have a response plan in place. They should also all have a crisis communication plan, which ensures that while one team works on the forensics and mitigation aspect of the breach, the other team is busy communicating the details of the breach to its core constituencies. Above all, the communication to customers and to the public should come from the executive team as this will signal just how seriously the breach is being considered.
Five Rules To Follow In Data Breach Communications
To get ahead of the next data breach you may face as an enterprise, here are five communications rules to bear in mind:
- Have a communications plan in place in the event of a data breach. Within that plan, it’s important that you include various scenarios based on whether you know the extent of the breach, what information was breached and the timeline for when the breach most likely occurred. A communication timeline should be established based on the findings, with regular updates shared with various stakeholders.
- Prioritize your customers and communicate with them first. Customers are the ones who will ultimately help you preserve the reputation of your brand. Recognizing a leak early is always better than waiting for your customers to see it first in the news. This is the fastest way to keep and maintain consumer trust.
- Involve senior leadership in your communications strategy. Having the message come from the top executives is crucial to showing customers how seriously you take the security incident. Having the whole company aligned behind one message will only strengthen the impact your response has on customers.
- Be transparent. Outline the steps your company is taking to mitigate the breach and keep the lines of communication open, providing regular updates online (in a blog post, for example) where customers can easily find more information about the breach.
- Communicate, communicate, communicate. The more you openly discuss the topic, the more in control of the situation you will be perceived. Continue communicating well after the news headlines are publicized to show that your commitment to protecting your customers’ data is real and constitutes a significant investment.
While no company is safe from attack today, all companies can be proactive in how they plan for the inevitable. In doing so, organizations can actually turn a very damaging event into a brand-reinforcing event, fostering customer loyalty for the long-haul if handled properly. Brand trust must be protected — this is so important because once consumer trust is lost, it’s almost impossible to get it back.
This post was originally published on Forbes.com.