Managing the Fallout of a Data Breach – Crisis Communications
We were delighted to be invited to join a breakfast seminar organised by Mourant this week about managing the consequences of a cybersecurity incident.
Nichole Culverwell spoke on a panel alongside the Mourant team which included cybersecurity expert Matthew Parker, Sally French who handled regulatory and dispute resolution questions and Hana Plesk, who spoke about the employment and GDPR implications of a breach. The panel was moderated by Jessica Roland, Mourant Partner.
To bring the topic alive for the audience, the panel examined three data breach case studies – the Tesco bank hack of 2016, last year’s Leicester Council data breach and Morrison’s long-term woes surrounding a malicious data leak in 2014 which is still going through the courts now.
Here are Nichole’s responses to some of Jessica Roland’s questions.
Tesco Bank CEO Benny Higgins was in the media spotlight throughout the height of their crisis management. How do you select your spokesperson in these situations?
Yes, Tesco used Benny Higgins extensively and to good effect. Selecting and training your spokesperson is all part of your crisis communications strategy and planning.
When crisis communications responses are analysed, we see that organisations that use their CEO in the main spokesperson role tend to recover more quickly; that means your CEO has to step up and perform. It is also critical that good key messages, Q&As and statements are in place, and that all spokespeople have the appropriate level of media training.
Video, live and recorded TV interviews are very much part of a good crisis communications response plan, these visual mediums allow spokespeople to be authentic and show genuine empathy, but they have to be up to the job.
Tesco initially sent out automated text messages to customers, but then refined its approach to something more reassuring. How might they have avoided the initial jarring communications?
This can be difficult to manage. In this kind of situation, the priority is to communicate quickly to a lot of people, at whatever time of the day or night, and automated systems can be the best way to do this.
However, text messages can follow the same structure that we apply to media statements, and express concern, action and reassurance.
Automated responses might be the first line of communication in this kind of incident but should be very quickly followed by a more human face, well-written press statements and, if possible, live interviews.
Tesco’s social media feeds were inundated with customer questions. What are the challenges for companies when dealing with adverse social media?
Firstly, Tesco should have halted their scheduled social media posts more quickly. On the Sunday morning, Tesco Bank tweeted, “Good morning. I hope you’ve had a good weekend so far! Let us know if you have any banking queries.” Well, thousands of Tesco customers soon responded to that tweet to explain just how well their weekend was going with a frozen bank card.
Managing scheduled tweets aside, there is a lot of fear around social media in the context of crisis communications, but it’s important to see the positive role that social media can play. Use your social channels as a strategic tool to listen to the audience, monitor the media and share your own brand messages.
Organisations can use social media to continually measure sentiment and monitor who is influencing who and the level of interest in the story, which can help you plan your wider communications responses.
You can’t respond directly to each tweet, that’s not expected, but you can use the channels to communicate your messages, talk to your customers directly, impart important information quickly as soon as you know it, issue facts to bolster your position and communicate with the media.
It’s your channel so you really need to own it, control it and use it to its fullest capacity.
How about your own staff – how important is it to include them in your crisis communications plan?
Internal communications need to be part of the planning mix but the key messages are the same as those going out externally – everyone needs to work off the same script.
Remember the staff who are the front line of incoming phone calls – the receptionists and the PAs need to know what to do when an impatient journalist calls.
You may need to protect your staff, and give guidance if they are getting negative feedback on their personal social media channels. We have to respect that we can’t control what people post, but making sure staff understand what’s going on and the key messages will certainly help.
And your senior people can certainly be sharing the right messages on their social feeds, if they use them regularly; again, particularly the CEO, senior executives or the board.
Given the legal risks, lawyers are often very cautious about external communications for the fear of worsening their position in litigation. Might you be best to just stay quiet?
Staying quiet is absolutely not an option – it’s the first rule of crisis communications. If you say nothing you will create an information vacuum – ready for the media and other audiences to fill with rumour and conjecture.
Good crisis communications starts with understanding what you need to say, what your audience will care about, what you as a brand want to say, and balancing that with what you can say.
Often we have to tell our clients to issue statements without having all the facts, which makes them, and their lawyers, uncomfortable.
But make no mistake, it is critical to tell people what you DO know and what you are doing about it.
It’s perfectly ok to explain when you think you will know more and repeat the statements as more information comes in.
In the Tesco case the regulatory decision came some two years after the initial incident. How do you approach the long-term versus short-term communications strategy for such instances?
The Morrisons case is also a good example here, it stands out because of how it has run and run over many years, with the initial story, the court cases and the court of appeal.
That can be exhausting for those involved and of course with every development the original story gets dragged up. A few strategies to consider include:
- Record keeping: recording interviews, monitoring output, measuring key message delivery – that will help both in the short term and into the longer term as well.
- Short-term activity will be focused on concern, action, reassurance messages; these will then build and become more specific in the long term as you know more and as your organisation’s response develops.
- Long-term activity will become more refined. You will have more time to get stakeholders on board which can give you some vital third-party endorsement or at least move sentiment from negative to neutral.
- You will have more time to plan for the next stages – the regulatory decisions or court cases etc.
- Protect your employees: keep them informed – don’t let them first hear about a development in the media.
- Be proactive with media statements every step of the way.
- Have the PR and legal teams work very closely together.
- But expect that over a long period of time you may need to change up your spokespeople to reflect the evolving content (and spokesperson fatigue).
What started as an issue for Tesco Bank quickly moved on to implicate other brands, 36% of reports discussing brands other than Tesco.
Yes, this is typical. Good news for Tesco in this situation, but you’re tarred with the same brush, and there is less you can do here, because the media won’t be coming to you for comment, it will simply report old facts.
Here I would suggest that relationships with the key journalists writing those stories is critical. Make sure they have all the correct facts on file and be proactive – get them onside, give them bolstering facts and make sure they know how things have improved since the breach – give them the positive stuff.
That’s part of a longer term media relations and crisis recovery strategy.
The Leicester City Council breach was quite different and involved an employee mistake rather than a hack and involved exposing personal data about vulnerable people. How might the communications in this instance differ to a hack or malicious data breach?
The same rules apply although there will be limitations on what can be said because of any internal investigations taking place. However, there are some mistakes that Leicester Council could have avoided:
- This is a strong human interest story – the Council should have shown care and concern in their statements.
- They used a nameless spokesperson – faceless and inhuman in the face of a strong human interest story.
- The statement contained no apologies, it was very cold, impersonal and uncaring.
- They didn’t take control – they allowed speculation, for example: “hundreds, potentially thousands” of details were leaked. This vague statement should have been corrected by the Council. They did not come out on the front foot to give the correct information where they could.
Consequently they gave the story away to embellishment and emotive voices. Instead the Council should have:
- Been clear about the extent of the breach and what they were doing with the companies who received the information.
- Worked with the media to supply the correct facts – e.g. how many people had been affected.
- Used a named spokesman to balance out Ross Grant.
Unlike the Tesco Bank hack, this was a regional story, does that mean press coverage will be more limited?
Because this was a regional rather than a national issue, it is easy to think it will be contained to local media. Just like something that happens here in Guernsey, if it gets picked up online or by a regional BBC station, it’s likely to go national.
With his outspoken views, Councillor Ross Grant also helped to escalate the story and make it more attractive to the national press. His emotive language such as “sick in my stomach” and “There is no guarantee this has not been copied and spread, we cannot put the genie back in the bottle” makes for media gold.
And indeed with this kind of story you can’t put the genie back in the bottle!
If you want to know more about how PR and legal teams can work together in a crisis, read our blog on this topic.