Breach Survival Lessons, Part II

The Formula for Victory and Reputation Damage Mitigation:

The Eight Crucial Breach Survival Lessons and Two Warnings

1. Your breach response can be technically perfect, but if you fumble and bungle the customer and public response, that’s how your response will be reported, judged and remembered.
   • Avoid any behavior, action or decision that further damages customer/employee trust. Simply ask yourself at every opportunity, “Is what I’m about to do, say, decide, or propose likely to build trust or subtract trust in me and my institution?” You will know what to do.
   • Most trust damage during breaches is self-inflicted.

2. Every Institution, Organization, Business and Individual is at Risk. Everyone with a credit card on the planet has been hacked, through some institution, several times already. It is still a frightening and personally victimizing experience.
   • Victims have extraordinary power and influence.

3. Victims Will Challenge Your Technical Prowess. If you’re an institution or an organization that is breached, you gain the status of a perpetrator, and your technical prowess will be powerfully challenged and minimized. “Why weren’t you ready for this?”

4. The News Stories and Blogs Will Be About
   

   Sean MacEntee, Creative Commons license, flikr

   Customer Pain and Suffering Rather Than What’s Happening to You. No one cares about perpetrators. Checking all the compliance boxes is essential, yes, and expected. But it is customer concern, fear, doubt, and feeling like victims that will drive your negative public exposure, media coverage, and government or regulatory interest.

   • Plan to begin rebuilding and reestablishing customer trust from the instant you know they are threatened. See warning # 1, below.

5. A Breach is an Enterprise-Wide Event. Institutional readiness for breaches goes well beyond IT preparations. Think about and be prepared:
   • For regulatory requirements.
   • For multiple notifications.
   • Have your investigation strategy and resources in place and tested periodically to activate immediately.
   • Prepare all functional areas that could be affected: IT, communications, legal, human resources, compliance, regulatory, marketing, etc.
   • Know the state and federal laws, rules and regulations that will guide your institution through a breach.
   • Understand cyber insurance coverage options.

6. Breach is a Customer Trust Issue. Silence destroys customer (victim) trust and enflames legacy media, new media, bloviators, bellyachers, and back-bench quarterbacks.
   • Have ready and tested direct customer contact processes and strategies.
   • Trust declines rapidly when fear, uncertainty and doubt escalate.
   • Pre-draft and approve key communications so notifications can be made quickly.
   • Be apologetic and sympathetic.
   • Be honest with customers.
   • Promptly and repeatedly communicate what customers need to know for their own safety, protection and recovery.
   • Communicate directly with your employees and customers before engaging the media.
   • Manage your own destiny: clarify, comment on or correct media and other accounts to keep the public record straight. If you fail to do this, someone you don’t like will do it for you.

7. Silence is a Toxic Strategy to Your Reputation. (Yes, I am repeating myself.) Talk now. You can neither recover nor explain the silence that is often imposed once a breach occurs. Victims interpret silence as guilt. Victims interpret silence as hiding things. Victims interpret silence as covering up.
   

   Toxic Avenger, by Mark, Creative Commons, flikr

   1. Breach survival is about maintaining
      customer trust, primarily through direct communication.
   2. Customers will reach out to anyone who can help them . . . so be there.
   3. Talk straight. Avoid the appearance of lying or being self-forgiving . . . how “proud” you are of your organization, “it’s an isolated incident,” blaming the problems your customers are having on somebody else, “no one can be totally prepared for something like this,” “we are doing the best we can.”These phrases are the language of perpetrators; they remind everyone of, “I am not a crook,” “I did not have sex with that woman.”
   4. Make all of your comments specific but simple, positive but helpful. Better to have frequent but brief communications than to try to cram everything into a single document, mail piece or letter in small print. Small print on important matters sends the message that you don’t care and that you are not particularly interested in hearing from the recipient.

8. Always Make Your Communication Personal. Avoid the “Dear Valued Customer” approach. Use customer names wherever possible. If you are sending a letter to a customer, you probably have their name. If so, use it. If someone’s privacy and perhaps personal life has been seriously damaged or threatened by a breach, it’s far better that you sound like you really care. A little empathy and sympathy go a long, long way.

Warning # 1:

When public authorities ask you to remain silent, you must consider the damage this is going to do to you. The public doesn’t care what the Secret Service says, or what the Treasury Department says, or what some other government agency says in asking you to be silent. You are held accountable for not talking from the very beginning. The decision to talk can be a reputationally-defining event for the organization and its leadership. Remember Target. The CEO was removed; the entire board has been changed out. They remained silent for nearly a week before they were actually outed by a blog, as opposed to letting their millions of customers know that their financial safety was at risk. Target has yet to recover from this damage. It’s an important lesson for everyone who runs a business and organization. Whether you remain silent or not is a leadership decision, a trust decision, rather than a police decision. Always has been.

Warning # 2:

Avoid over-confidence. Something happens to senior management groups when these events occur and the first inclinations seem to be to ignore what’s happening, to try to initially make the best of it, to encourage people to avoid talking about it or worrying about it. The most powerful thing about bad news begins to happen almost immediately: it ripens badly and things get worse. This behavior surfaces in training and readiness sessions, as well as the actual breach events themselves, or other kinds of adverse organizational circumstances. Get serious immediately. Focus on what needs to be done, or what the public expects, and what your employees expect as well. Develop a step-by-step scenario-based response process that you can rehearse, walk through and perfect.

The most common ingredients of failure are management delay, denial, stalling, and putting a happy face on what everyone else knows is a potentially horrific situation. If you appear timid or hesitant, confused or reluctant, that’s how your response and leadership will be forever characterized.

James E. Lukaszewski, ABC, Fellow IABC; APR, Fellow PRSA, BEPS Emeritus

If you have questions, or would like to dive more deeply into the subject of this blog, you can reach me 24/7 at jel@e911.com; 203-948-7029 (voicemail, email, text). I look forward, as a friend and colleague, to helping you achieve the objectives you’ve set for yourself for having a happier, more influential, successful and meaningful career.

Signup for my newsletter

Follow me on Twitter

Connect with me on LinkedIn

Find me on Amazon