Your organization has experienced a data breach. How do you handle telling your customers? One of the key pieces to a data breach response is the announcement to the public and affected individuals. How a company deals with public relations after a breach determines how successful they will be at recovering from the breach. Cyberattacks and data breaches are the top threats to a business’s reputation, and they are as impactful as a major environmental incident such as an oil spill (Cyber Data-Risk…, 2014).
In 2017, a key example of this phenomenon was the Equifax data breach in which 143+ million individuals in the United States, United Kingdom and Canada had their personal information stolen. The company had knowledge of the breach nearly a month before an announcement was made to affected individuals. Secondly, at the time of the announcement, the company offered free credit monitoring and credit freezing to impacted individuals. Unfortunately, Equifax was unable to handle the volume of individuals going to their websites and calling into their call centers to request these services.
This was only the beginning of the multiple issues which plagued the Equifax data breach and ultimately resulted in the resignation of many top-level officials including the company’s CEO.
In order to combat this type of disastrous situation, hospitality businesses must have a response plan in place that involves a well thought-out public relations plan and an appropriate timeline for notifying affected individuals. Depending on the jurisdiction, notifying impacted individuals may be a matter of days, weeks, a month; or, like in the United States, there is not currently a federal law which governs this process.
Rather, the notification process is covered by a patchwork of state and local laws. The EU’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018, requires businesses to provide notification to the supervising authority no later than 72 hours after having become aware of a personal data breach. Since many organizations operate in multiple jurisdictions, it is important to examine all applicable laws.
Often, companies will engage a PR firm to handle this all-important piece of the data breach response. The cost of the PR firm can often be covered by cyber liability or data breach insurance and is a necessity for companies to fully recover after a data breach and the loss of confidence from their customers. Communication avenues which should be considered include notification letters and social media posts — and the right message must also be set on the company’s website.
The following are general guidelines on managing media during a crisis:
- Choose a company spokesperson. Will this be the CEO of the organization or an appointed representative from a public relations firm? This should be determined in the pre-planning process in addition to a person who will approve press releases and responses to media.
- Speak calmly and clearly. When speaking to the media, the designated representative should be professional, clearly identify themselves and their position within the organization.
- Avoid speculations. Individuals impacted will want the facts, including when the data breach occurred, what information was breached, etc.
- Be upfront. If the spokesperson does not have the answer to a question, they need to provide a reason for why they cannot comment. Reasons not to respond to a specific question include:
- pending legal investigation,
- incomplete information, or
- the responsibility belongs to someone else and provide that individual’s information.
- Show concern. The company spokesperson must express genuine concern for those impacted by the cybersecurity breach.
- Emphasize the positives. At this time the company’s representative has an opportunity to emphasize the positives of the organization. Discuss current security efforts which are in place, how the organization is mitigating any future loss, training programs implemented that relate to the data breach, and the company’s commitment to cooperating with investigating authorities.
- Put the brakes on advertising. Temporarily suspend advertising for a period of time appropriate for the crisis endured.
- Counteract the negative. Consider creating a publicity campaign to counteract any negative impact caused by the crisis. (Barth & Hayes, 2011)
- Barth, S. C., & Hayes, D. K. (2011). Hospitality law: managing legal issues in the hospitality industry (4th ed.). New Jersey, NY: John Wiley & Sons. (pp. 446)
- Berman, J. (2014). Backup for Dummies. Hoboken, NJ. John Wiley & Sons, Inc.
- Cyber Data-Risk Managers, Pty. Ltd. (2014). Public relations after cyber attack. Retrieved October 2, 2017 from http://dataprivacyinsurance.com.au/uncategorized/public-relations-after-cyber-attack/
Tanya Venegas, MBA, MHM, CHIA is director of customer success for HotStats based in Houston, Texas USA. Tanya served as executive director at the HFTP Americas Research Center at the Conrad N. Hilton College of Hotel and Restaurant Management at the University of Houston for more than 15 years.