Andrew Giles, Head of Public Relations and Communications for Canon Australia, shares insights on how to maintain your customers’ trust and minimise reputational damage should you find yourself facing mandatory notification of a data breach.
The subject of data breaches will soon become a very public, whole-of-business challenge as the new Data Breach Notification obligations
come into effect on February 22nd, and regulators will begin to enforce the new laws.
There is no doubt that a breach of personal information is a sensitive issue. But it’s not necessarily the breach itself that will affect your brand as much as how you handle it. In fact, a report by Deloitte
showed 33% of customers actually gained trust in an organisation after being alerted by the company about a breach.
Now is the time for marketers and communications experts to prepare crisis response plans. An effective initial communication will put the needs of the customer first, achieving limited damage to your company’s reputation while maintaining trust.
How should you communicate with customers?
As the Office of the Australian Information Commissioner (OAIC
points out, the first 24 hours of a breach are the most crucial for your business). Customers entrust you with their information, so should anything go wrong, you need to act with speed and transparency to protect those affected.
If the worst does occur, one of the top things to remember, is that the sooner you can tell your customers, the better. This is not a legal requirement, but responding quickly could help you significantly minimise the impact on your reputation and help you regain your customer’s trust. If a breach is discovered, act quickly and follow these steps:
Prevention is key
- Bring together the key players forming your response team
- Gather the facts fast from your IT team – it’s important to understand how the breach occurred, how it’s being contained and what steps you are taking to prevent it from happening again
- Send a direct, personalised message via email or mail letting each customer know what has happened and what action you are taking to fix the problem – and ensure it doesn’t happen again.
- Prioritise telling customers and stakeholders who are most impacted by the breach. It’s important that they hear it from you rather than another source. Consider calling them directly.
- Release a statement, covering the details outlined above, on all communications channels. Be honest, open and transparent.
- Communication should focus on minimising the impact so ensure your tone of voice strikes the right balance between apology and action to mitigate the risk. Customers want to know that you’re taking responsibility, and that you’re doing everything possible to protect them. This could include identifying actions they should take, eg informing their bank of the breach if financial information has been compromised.
- Appoint an internal spokesperson who can field enquiries from the media and concerned customers. Provide a phone number and email of someone who can be contacted for more information on what actions those affected can take to protect themselves. Respond promptly to all enquiries.
- Send regular updates if the situation changes or if there is anything else they should know.
Ultimately, prevention is about mitigating or reducing harm from the occurrence of a breach – quickly. And that’s where the three Ps are critical: Prepare, Prepare, Prepare.
The OAIC recommends having a Data Breach Response Plan in place. Ideally, this will be part of your ‘business as usual’ activities, tying in with the broader plans for managing similar risk issues.
Key elements of a response plan include:
- incident scenarios
- risk level assessments and ratings
- details and structure of the response team
- contact details for all stakeholders
- a stakeholder communication hierarchy
- templates of documents such as incident forms and internal/external communications (press release, emails, social media etc.)
- consistent messages about the breach to prevent confusion.
The result should be a clear picture of how the company will respond to the potential harm of a breach.
In today’s digital world, no business is immune to the dangers of a data breach. Use the imminent data privacy laws as an excuse to plan your crisis communication strategy now, rather than waiting for a breach to impact your business.