Reputation Risk N°1 : Data Security

Like it or not but data security risks have entered the Reputation Management and Crisis Communications field.

You've heard it in the news; Facebook's leak, the recent HealthCare.gov breach which exposed personal details of 75,000 people, the Cathay Pacific data security breach and so on.

In October alone, the American Healthcare industry saw more than 2 million people's health data unlawful accessed. And that only includes those cases that have been declared.

Top operational risks for 2018
Risk.Net Operational risks 2018 Survey

With a clear shift in consumer perception, what used to be an operational risk, is now a clear and present Reputational one.

Consider the following data from the Ping Identity 2018 Consumer Survey: Attitudes and Behaviour in a Post-Breach Era:

  • After a data breach, 78% of people would stop engaging with a brand online.
  • 49% would not sign up and use an online service or application that recently experienced a data breach.
  • 56% are not willing to pay anything to application or online service providers for added security to protect their personal information.
  • 59% prioritise the protection of their personal information when interacting with an online application or service, compared to only 12% who prioritise a convenient, straightforward user experience.

In addition to the collective cost of resolving a Data Privacy breach, the potential fines under GDPR*, the threat of being unable to process data, and the legal liability - we can now add the Reputational Risk as well.

As the 2018 Global RepTrak® report from the Reputation Institute has clearly shown, different areas of a company’s corporate reputation can be impacted during and after a data privacy crisis.

Not only is data security and privacy the number one reputational risk, but data ethics and trust is the number one reputational attribute. This is the first time we have seen one issue appear as both top positive and top potentially negative issue at the same time. - Bill Mew, influencer and advocate for digital ethics and digital transformation.

We are talking about a direct impact on the perception of governance and leadership, on universal stakeholder support and brand loyalty among the general public. In short, the "perfect storm" for a Crisis Communications professional.

It is time for corporate communicators and public relations professionals, those responsible for the reputation of their organisation, to step up in several ways:

Make Data Privacy & Ethics a Cultural Attribute

Communications departments need to drive cultural change programs to put data security on the corporate agenda from the boardroom to the shop floor. Working with the IT departments that ensure data protection, they need to introduce training schemes for employees and create internal awareness campaigns for staff at all levels.

Topics such as data ethics and data protection should be promoted in order to become a real brand attribute for the organisation. Internal and external trust around data is crucial and needs to be authentic to avoid this being seen as just be a marketing ploy.

Data Privacy versus other corporate topics.

Organisations need to be in tune with their customers. A recent survey from FleishmanHillard Fishburn found that the main issues that consumers expected companies to act on are now security and privacy, surpassing things like diversity and sustainability that had previously topped this list.

Integrating data security and privacy in crisis communications
Integrating data privacy & security in crisis communications planning

Take a stand on Ethics and Trust

Establish ethics and trust as core brand values: organisations need to move from a 'box-ticking' focus on GDPR and privacy compliance, to an ethical one focused on 'doing the right thing’. However, in order to gain competitive advantage and enhanced customer loyalty, an organisation needs to be 'authentically ethical'. This means behaving and acting ethically - living up to ethical standards, rather than just using them as window dressing.

  • Behave ethically - focus on the ethical issue that matter to your customers, such as data privacy: implement cultural change programs to instill a focus on ethics throughout the business.
  • Act ethically - when taking a stand, actions speak loader than words: take visible actions that demonstrate your ethical commitment.
  • Talk ethically - be proud and loud: harness you ethical differentiation in your marketing and communications.

Communications professionals will have a key role to play in all of this - from cultural change through to brand amplification. They will also be responsible for building relationships with key external stakeholders and influencers - including press, analysts and social activists that focus on areas like privacy that matter to your customers.

These specialist influencers can be used as a sounding board for ethical ideas and an amplifier for ethical campaigns. They can help you independently assess or benchmark your data privacy policies and crisis management plans so as to ensure you adopt best practice in these areas. Being able to demonstrate efforts to adopt best practice in this way can also mitigate potential fines or legal exposure in the event of a calamity.

Plan for When, not If

Communication departments also need to incorporate data privacy and security risk into each step of their crisis communications plan.

Before

Create clear internal procedures to report data breaches and data privacy issues, ensuring that the communications department is looped in. Prepare a data privacy crisis communications response plan, with processes to trigger its implementation. Ensure that the response plan includes communication plans to ensure coordination between internal stakeholders in the IT, Human Resources, Legal, Financial and Customer Service departments is crucial - ensuring that all departments are fully prepared.

During

Be ready to reassure customers & stakeholders that you are taking the right action. Make it regular, up to date and relevant for each stakeholder segment. And do not forget your most important audience in the process; your own employees.

Use pre-established influencer relationships to counter hysteria or misinformation. Data Privacy breaches are high on the media radar and will get coverage. Make sure you reach out to pre-defined reporters and influencers in your space to add a balanced view to your communications.

"Newspapers tend to emphasise the massive damage of each data breach crisis, through citing victim experiences and magnifying the negative outcomes." - Bokyung Kim, PhD, assistant professor of public relations, Rowan University**

After

Continue to protect your brand and customer relationships. Data privacy related crises tend to have a long term impact. Explain clearly what went wrong and how you're making sure that you are implementing systems and procedures to limit future risks.

Demonstrate best practice to help minimise regulatory sanctions or fines. Legislation and disclosure requirements have been implemented across several countries and regions, make sure you follow up and document them.

Data Security - a shared responsibility between Brands & their Agencies
Data Security - a shared responsibility between Brands & their Agencies

Agencies & Companies alike face a Reputational Risk

Some brands are already reacting to the "new" threat. Several companies are compelling their marketing & communication agencies to cover for the liability of a potential data breach.

"The amount of liability companies are asking agencies to accept can range from $5 million to $100 million or even unlimited liability", according to a recent article in the Wall Street Journal.

Again, it is time to plan for the when, not the if - make sure your crisis communications plans are up to date and take into account data security & ethics.

Interested in the topic? Request the white-paper below.

White paper: Brands, Trust & Digital Ethics

A big thanks to Bill Mew for his insightful contribution to this article & corresponding white paper.

Notes:

*GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.

**Bokyung Kim, Kristine Johnson, Sun-Young Park & Shaofeng Liu (2017) Lessons from the five data breaches: Analyzing framed crisis response strategies and crisis severity, Cogent Business & Management, 4:1, DOI: 10.1080/23311975.2017.1354525