Reputation management of a data breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.taylorwessing.com/globaldatahub/article_reputation_management_data_breach.html


Data security breaches almost always give rise to a risk of
reputational damage to the company responsible for controlling and
processing the data.  From the moment the breach occurs, the media may
start making inquiries and/or publish or broadcast allegations about
the breach.

Also, there are likely to be worried or angry customers whose data has
or may have been disclosed without their consent.  They may publicise
the matter in social media and/or inform journalists, as well as the
regulator.

Whether the breach results from a third party supplier accidently
leaving a laptop on a train or from sophisticated hackers breaking
through firewalls and encryption systems, it can lead to distrust of
the company.  In turn, this can result in lost sales and/or a dip in
share price.

Prior to a breach

Within a very short time after the breach, a journalist may be
telephoning demanding to know what has happened and who is to blame.
It is very important to be prepared for this.  A company should plan
in advance who will be part of its data security breach team because
it will need to react very fast to try to preserve its hard-earned
reputation.  This should preferably include an expert in reputation
management and PR, as well as regulatory and litigation experts.

On the breach occurring

The following are recommended:

a journalist could contact anyone in your organisation.  Make sure
that all employees (or suppliers) channel any inquiries to the
relevant team dealing with the breach;
journalists may suggest that your company is to blame and/or ask what
happened.  In the beginning, you may not actually know what has
happened and many rumours and accusations may be circulating.  Try to
demonstrate that the company is taking the matter very seriously and
is fully investigating it.  Be cautious about jumping to conclusions
and blaming others before the facts are known;
it may be that you were not actually to blame and a third party
supplier caused the loss/breach.  However, if you are the data
controller for any affected personal data, you may be deemed to be
responsible for the security of the data, even if you did not cause
the breach.  Furthermore, defaming a third party can expose you and/or
the company to risk of a defamation action.  Two of the main defences
to a defamation claim are (i) truth and (ii) honest opinion based on
true facts, therefore. be sure of the facts before trying to blame
others;
if a journalist contacts the company, this is the company's chance to
correct any false assertions or at least to get the company's side of
the story across.  In England, it is very difficult to obtain a
pre-publication interim injunction to stop someone saying something
defamatory.  Therefore, it is better to communicate the key message to
the journalist.  A 'no comment' response may be interpreted as an
admission of guilt; and
be aware that anything you say to customers and/or journalists may be
used by the regulator, the company's insurers and/or in litigation
against the company.

Material already published by the media

If the media has already published false and defamatory allegations
about the company, it may be possible to obtain a correction and/or
apology by deploying defamation law and/or the relevant press
regulations.  It is generally easier for a media organisation to amend
or add a statement to an online piece than to publish something in the
next hard copy edition.  Moreover, online content is arguably more
important to correct or balance, since it is searchable and can be
available forever.

In England, the media may have a defence to a defamation claim even if
the allegations are unproven or false, namely qualified privilege.
This applies to stories on a matter of public interest which are the
result of responsible journalism (the "Reynolds" defence).  Once the
provisions of the Defamation Act 2013 come into force (likely by the
end of 2013), companies will find it more difficult to rely on
defamation law for two reasons.  First, under the 2013 Act, a
statement is not defamatory of a company trading for profit unless its
publication is likely to cause the company "serious financial loss".
This is likely to be difficult to prove in court.  Second, there will
be a defence for publication on a matter of public interest where the
publisher reasonably believed that publishing the statement was in the
public interest.  It seems probable that this defence will be similar
to the "Reynolds" defence which it replaces.  However, is currently
untested and may be more flexible.

Allegations in social media

Customers and other members of the public or even competitors may
comment on the breach in social media e.g. on Twitter and Facebook
and/or in the comments sections of news sites.  People can be very
quick to blame a company alleged of a data leak.  It is, therefore,
important also to quickly communicate key messages on social media.
However, it can be often difficult and risky to engage in discussions
on social media, especially before the facts are known.  The main
things are to show that the company is doing everything it can to find
out the facts, limit any damage and correct any misinformation.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.