The dangerous mix of cyberattacks and GDPR should put crisis communication on top of every business’ agenda

When the genealogy site MyHeritage fell victim of a large cyberattack, potentially 92 million users’ data ended up in the hands of IT criminals, according to the media Reuters. At the same time, back home in Denmark, the national rail company DSB closed down online due to another cyberattack. Data breaches, cyberattacks and ransomware have become the new normal. Apparently two out of three companies fell victims to cyberattacks last year, and one in every eight cyberattack actually succeeds. Many have rightly concluded that it is impossible to protect themselves 100 pct. from a cyberattack.

If you combine this nerve breaking statistic with GDPR, which now places the responsibility for protecting the users’ data solely on the companies’ shoulders, then no one should doubt that any company can potentially find themselves in the media spotlight. This ‘pleasure’ is no longer reserved the biggest companies.

Potentially, we are all at risk

Today, cyber threats and GDPR in combination means that all companies that hold confidential customer data, risk becoming the centre of a media storm. Not to mention a possible fatal breach of trust that may arise between the user and the company, if it turns out that:

  1. The company haven’t done enough to protect itself and its users’ data.
  2. The company discovers that IT criminals has secured access to the users’ data but decides to keep it a secret.

Both scenarios are serious and realistic. Even though news on cyberattacks is a daily reality, it is less common that companies proactively share information about data breaches with the public.

Why?

The shortest way to forgiveness

You don’t need to be Einstein to understand that many companies that keep data breaches a secret, act in fear of losing their users’ and business partners’ trust.

I do understand the difficult situation the companies are in!

Of course, a company is afraid of losing precious trust and compromising their relationship with their users. Lack of trust usually equals losing users. Likely, they will go straight to a competitor.

But think about it this way: What sort of reputation do you prefer?

  1. As a company that honestly reports data breaches, so their users have a fair chance to act and protect their data?
  2. Or as a company that tried to keep the data breach hidden from the public, thereby giving the IT criminals even more time to practice their criminal activities?

Those who choose to keep the data breaches hidden are not evil companies (if such exists). They are simply afraid of the consequences.

But what if I told you that there is a viable way for companies who experience data breaches to honestly speak up and at the same time maintain – or even strengthen – reputation, confidence and trust?

In crisis communication, you can find the strength to maintain the precious trust

What did MyHeritage do when they discovered that IT criminals had access to their users’ data?

Shortly after the data breach their CISO (the person responsible for the company’s IT security) openly came forward. On the company’s website, he explained what the company had discovered, what steps they were taking to correct the problem and how they protected the users’ data in general. Likewise, he gave the users good instructions on what measures they could take to protect themselves.

And this is where MyHeritage took a crucial step towards rebuilding confidence; in issuing a “Holding Statement”.

A Holding Statement is the very first announcement declared by a company in a crisis. The purpose is twofold:

  1. To re-establish trust between company and the outside world.
  2. To take control of the story so it is the company, and not the media or the social media shitstorm, that decides the agenda going forward.

Companies that have been in the middle of a social media shitstorm or the centre of attention in the media know how difficult it is (if not to say impossible) to break the boundaries of a very narrow and unvaried interpretation of reality, once others get to define it.

How to take the first steps forwards crisis management

To get ahead of any media agenda or shitstorm, it’s important that you make sure the ball is on your side of the court. This is exactly what a Holding Statement does, if it is published quickly, preferably within one hour.

A Holding Statement is short and exact, and it contains:

  • The most important facts – answers to what happened, when it happened, what are the company doing now and how they will improve in the future.
  • What is the next step?
  • Timeline – when and how will we give the next update.

And then it’s important to show empathy. If the news is already public and people are angry or afraid, it is important that you address these feelings. If people are scared, you must calm them. If people are angry, you must show that you understand. It’s important that you show that you will help them as much as possible.

Yes, there are probably a lot of things you won’t know, and it is a very bad idea to start guessing. Instead, you should provide concrete answers to what you do know for sure and how you will find answers and solutions to the rest.

Of course, a Holding Statement is only the first phase of your crisis management. But it is important to take the right step towards the ongoing process of managing the situation.

The right step away from the public spotlight

MyHeritages’ user data is still at risk. But by acting quickly and with confidence, MyHeritage have helped their users regain control of their personal data by telling them to change their password, check for suspicious activity on their accounts, and most importantly, act with caution.

This would not have been possible if the cyberattack had been kept a secret.

The message is clear

In times like these, the wise company prepare for the day where they need to manage a data breach themselves.

In case of a data breach, you do not only have to meet the requirements of the authorities, you also need to focus on and provide proper information for your customers, users, the press, and not least, your own employees. If any other stakeholders are affected by the data breach, then they must be informed too.

It’s always better to share a data breach with the public – but do it the right way so you don’t end up with even more challenges.