Brand Protection

A security breach can seriously damage your reputation, so make sure you're fully prepared should the worst happen

When data goes missing or hackers break into your network, your first instinct may be to minimize the immediate threat to customers, employees and your business as a whole. However, many companies find themselves rushing to contain the incident without a well-prepared and coherent brand protection plan.

Surprisingly, in many countries, there's currently no law obliging organizations to publicize a breach. But trying to keep a lid on events can be risky. After all, you won't look particularly clever if angry customers first hear about an incident through the media.

What's the worst that could happen?

Before you react with a major publicity offensive, it is important to assess the potential harm that the breach could cause to your reputation.

Data such as medical or financial records are highly sensitive and affected parties should be informed straight away. On the other hand, some data losses are undoubtedly less serious and, if they're swiftly resolved, loyal customers may well be kept happy with a letter of apology.

In 2008, for example, a major credit card provider sent out several thousand account statements containing personal information on other customers. The risk from this mix-up was deemed to be fairly insignificant and the company simply reissued the correct statements along with letters of apology.

On the other hand, some incidents may have financial repercussions and damage reputations. In mid-2009, a financial institution was fined more than US$5m (€3.5m) for failing to protect customer data from theft or loss. The penalty was reduced from over US$7m (€5m), due to their cooperation with the regulators to resolve the security matters quickly.

Offer clear instructions

All those affected should be told the steps (if any) they need to take to protect themselves. Similarly, you should clear the path for the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.

In 2007, an unencrypted laptop belonging to a large retailer was stolen. It contained personal information on thousands of its employees, so the firm wrote to every one of those employees offering free credit checks to monitor for suspicious activity.

Timing is critical

In some cases, though, immediate notification may not be the most appropriate action, as the case of another retail firm illustrates.

Having discovered that hackers had broken into customers' payment details in 2006, it held back from making the news public while the police investigated. The delay proved crucial and led to several arrests and criminal charges. The company finally broke its silence with a press release providing a free phone number for customers, and advice that further information was available on its website. It also apologized unreservedly for the breach and outlined how its customer security had been improved.

You never know when the worst may happen, so it pays to be prepared. In today's 24-hour media goldfish bowl, organizations have to manage their image proactively to ensure they don't get caught out. Above all, don't make the all-too-common mistake of trying to deny or cover up what's happened. This will only drop you in even deeper water and could destroy your credibility for good.

Damage limitation in six steps

Don't simply wait passively for the unthinkable to happen. Your communication strategy should combine careful preparation and fast, decisive action, as any delay in response could be interpreted as a cover-up. But if, in your haste to act, your statement is ill thought-out you could look as if you don't take the incident seriously. And remember, you may even find that a swift, appropriate response can actually enhance your reputation as a responsible organization.

1: Put someone in charge

Establish who is responsible for containing and investigating a breach and for forming an incident response team.

2: Form an incident response team

You'll need input from individuals across the organization, including corporate communications, senior executives (as spokespeople), IT, HR and Legal. You may also have to involve external stakeholders and suppliers. Meet regularly to share information, brainstorm and update the plan.

3: Have a clear plan

Identify the types of data you store and the various potential risks posed by its exposure. That should determine the appropriate action required to counter such risks. Work out who you may need to contact, what to tell them and how to reach them, taking into account different time zones. Once a breach has occurred, you should explain how and when it happened, what steps you have taken, and offer clear advice on how anyone affected can protect themselves.

4: involve third parties

You may also need to consider notifying the police, your insurers, other professional bodies, bank or credit card companies and other stakeholders. You should produce and regularly update a directory including relevant contact details.

5: Role playing

By staging a simulated incident, you'll get a good view of how ready you are to deal with the real thing, and be able to adjust your plans accordingly.

6: Media Relations

You should have a coordinated media response strategy in place, including authorized spokespeople and a legal team to check that all communications comply with relevant regulations and legislation. The strategy should include:
. A board-level spokesperson, chosen from a roster of media-trained and savvy executives
. A prepared set of answers to all anticipated media questions
. A role play with the spokesperson to prepare him/her for a potentially aggressive media
. Communications that are as open, honest and candid as possible
. A press release with quotes from appropriate executives and, if possible, relevant regulators or legal authorities. It should also include advice for organizations and consumers on how to minimize any risk
. An apology (if you are at fault, of course!)