Harlan Loeb is the Chairman of Edelman’s Crisis, Issues & Risk Practice. With over 25 years of experience, he works with companies all over the world to build capacity in managing crisis and reputational risk. Harlan also serves as Professor of Crisis & the Court of Public Opinion and Northwestern Law School.
Harlan Loeb: If you have not done so already, it is critical to determine who’s on the team, and which team member will have the authority to make decisions. Keep the team as small as possible. In most cases, the essential individuals are represented by the heads of IT,security, legal, communications, the business lead and perhaps, the CEO. This rule should also apply for outside advisors. Doubling up on outside legal counsel, lobbying firms, or bringing in new players midstream will only hinder the response. You should also have a back-up PR lead, so that the main contact doesn’t burn out from managing communications and media requests 24/7.
Skroupa: How soon after the crisis occurs do I need to issue a statement or speak to the media?
Loeb: Every data security issue is unique and often represents a fluid situation. It’s important to focus any initial messages on the steps that the company is taking to investigate the issue. It is equally important to be very cautious about disclosing any ‘facts,’ such as the number of records impacted by the breach. If you must communicate something, say what you know, acknowledge what you don’t know and continue to keep stakeholders updated. Companies must be diligent to resist communicating numbers early in an investigation, and be careful about claiming the issue is fully resolved too soon. While a company is likely to receive scrutiny in the media for taking longer to provide more details about an incident, this type of negative attention is easier to manage than communicating misinformation.
Skroupa: How do we manage the message?
Loeb: Communicating the right messages at the proper points in the lifecycle of a breach will have a significant impact on how a breach is received. While developing messages should not be one-size-fits all, the following are key principles to follow:
- Focus initial messages on the steps being taken to investigate the issue, and frame it as a criminal issue.
- Think through what you push out and how to respond via social channels. There’s no need to have a public debate in front of millions of followers.
- Set up the appropriate media/ social monitoring and listening posts to see how the breach is being covered. Customers must be your north star, so make sure that you communicate with them clearly and effectively through traditional and digital channels. However, don’t neglect the wide variety of stakeholders interested in breaches- including policymakers, regulators (state and federal) and industry stakeholders (e.g. payment brands).
Skroupa: What should I focus on prior to a data security incident to better the chances that my company will handle the issue well?
Loeb: To truly get ahead, the leadership teams must focus on getting four simple things out of the way. First, determine your outside counsel, forensics firm, communications counsel and credit monitoring service. Then, create a data security crisis scenario that involves all the functions responsible for legal, regulatory, operations and reputation. Following this, put your teams through a crisis simulation so they can work with all of their colleagues to better understand the gaps in the processes and procedures. Lastly, develop relationships with lawmakers and regulators in the states that you do business. Meeting them for the first time after a data security incident is not the best way to make a first impression. Also, ensure that the communications plan includes drafts of key media materials that will be useful during an incident.
Skroupa: What are the key traits that an organization should look for in a forensics partner?
Loeb: There are three critical things an organization should look for in a forensics partner, including:
Separate technical forensics and incident response contacts.
Make sure investor relations specialists have a strong understanding of data breaches and the ability to preserve evidence in a forensically sound way.
Recognize that it will be used in a way that will protect an organization in the event of a breach.
Skroupa: Is it important to have someone leading the incident response team that understands the enterprise risk implications of a breach? If so, what are the key traits that an organization should look for in a legal partner?
Loeb: Responsiveness, creativity and relevant experience (i.e. repeat performers). When vetting a legal partner, ask questions about their work styles. When assisting with a data breach they should have 24/7 availability; they need to be comfortable offering that level of support. Relationships with regulators are also helpful, and can be a useful tool- this is a question you can ask during preliminary interviews as well. A relationship on Capitol Hill can be helpful, but it is more important to have awareness and relationships with data breach regulators- whether that is the state AG or organizations regulating a certain industry.
Skroupa: Who should be the spokesperson?
Loeb: When considering who should be tapped as chief spokesman, don’t necessarily think immediately of the CEO. Edelman’s 2014 global trust barometer found that the CEO isn’t necessarily trusted as an academic or expert (e.g. the chief information officer). In addition, any breach will hurt an organization’s reputation for trust, and repairing that can take time. It is best then, to tag-team the two: using the CEO to talk about the state of the business and customers, and the CIO to talk about the technology issues the security and technical details if necessary.
Serhat Cicekoglu, Director of Loyola University Chicago Quinlan, Center for Risk Management adds: “When an adverse event occurs being in the dark about its causes and potential effects only makes stakeholders nervous. Trust is lost as rapidly as answers are demanded. This puts a company under an expanded sense of attack before it has effectively addressed the root incident. Readiness empowers the response team and proactive communication calms the stakeholder. Both are pivotal in gaining confidence and control over the crisis situation. Preparedness is the first step in maintaining business continuity. Over the years, we have seen a plethora of examples where companies have overestimated their response capabilities and underestimated the value of a well-designed response plan. Trust and confidence grows when we are informed of what is unfolding.”
On October 14, 2014 , Loyola University Chicago, Quinlan School of Business, Center for Risk Management will host its first Executive Dialogue Series seminar program on Resilience—Big Data and Cyber Security. Continue the discussion with Harlan Loeb, Serhat Cicekoglu, Director of Quinlan’s Center for Risk Management, and a select group of 25-35 company executives and internationally renowned experts on resilience. To inquire about attending contact firstname.lastname@example.org.