Last year certainly saw some significant data breach cases, including Target, Neiman Marcus and Michael’s. This year, we continue to see reports of data breaches in the news, and not all of them involve huge retailers. Some companies have communicated effectively with their stakeholders, while others have failed miserably. Moreover, those failures have a cost in revenue, profitability, and reputation.
According to the Identity Theft Resource Center (www.idt911.com), in the United States alone more than 600 breaches have become public so far this year. According to the ITRC, more than 42% of data breaches have occurred in the healthcare industry, but involve only 9.2% of all the records breached so far this year. Business accounts for 83% of records breached, totaling more than 64 million records impacted year to date.
A global study conducted by the Ponemon Institute (www.ponemon.org) for IBM noted the 2014 average cost paid for each lost or stolen record containing confidential information is $145.00, a 9 percent increase over last year. The report also noted that breaches of 10,000 records or fewer are far more likely than a mega-breach. Yet using these statistics, a breach of say, just 5,000 records can cost a company as much as $725,000. That’s nothing to sneeze at.
The lesson for companies is to consider a breach likely and to plan accordingly. If your business maintains customer or patient records containing confidential information, or if you accept credit/debit cards or do business online, you should have a crisis communications plan in place.
We recommend to clients that they include data breach as a possible scenario when planning for the most likely crisis events in their business. As part of that planning process, we urge clients to develop talking points ahead of time and vet them with legal and senior management. By having at least that first statement ready to go at a moment’s notice, pre-approved, the company avoids the costly delays that can occur when there is no plan to communicate with customers and other stakeholders.
Once the crisis plan is approved, we encourage clients to run a simulation exercise to assure that it works as designed. We design and deploy custom simulation exercises for clients to help them fine-tune their crisis plan and fix any gaps that are found, while practicing in the safe environment of the simulation.
Don’t let your customers hear about the issue from anyone but you. Companies should be prepared to notify customers before they have all the facts. Data breach investigations can take months, but customers will quickly take their business elsewhere if they feel that their data have been exposed for too long without notification. Commit to sharing what you know as soon as possible, and to providing regular updates. Acknowledge that the situation may change, and update all audiences when it does.
As the crisis unfolds, it’s important to take ownership of the problem and acknowledge responsibility for the breach. Avoid trying to lay blame on a vendor or employee until all the facts are known. Don’t play the victim. Even if a crime has been committed against your company, the court of public opinion will not consider the company a victim. Express regret and talk about the steps being taken to assure the problem is fixed.
There is much more that we can say about the value of a plan. The investment you make in a crisis communications plan will pay for itself quickly when the inevitable occurs. It is always easier (and less costly) to prepare and prevent, than to repair and repent.