Anthem’s Cyber Attack Demonstrates Dos and Don’ts of Crisis Communications

http://www.prnewsonline.com/wp-content/uploads/2015/02/Anna.Keeve_February-2015-grey-backdrop.jpg
Anna Keeve

Eighty million. That is the number of people whose social security numbers, addresses, medical ID numbers and other personal information are now in the hands of cyber criminals and likely being sold right now on the Dark Web, a black market where personal information is bought and sold.

This data leak was the result of a cyber attack on Anthem, the second-largest health insurer in the U.S. With 80 million patient records compromised, this makes it the largest healthcare data breach to date.

A computer hack like this one places organizations in the spotlight, as they are scrutinized on every move they make. From how quickly they reveal a breach to how forthcoming they are about their past cybersecurity practices and policies, every element is judged by the media and consumers alike. Poor crisis communication can have devastating effects on a company's customer and shareholder relationships, brand perception and, ultimately, bottom line.

While we are still in the early stages of this situation, Anthem has done relatively well with its crisis response, but only time will tell if it will fully recover. So far, the actions Anthem has taken have been timely and forthright, and we can learn some valuable PR lessons from Anthem’s crisis communications approach following a cyber attack.

Come out early with the information you have. Anthem's breach was detected on Jan. 27, 2015, and it came out publicly to announce it on February 4 with an arsenal of resources. Anthem has earned credit for coming out early and being well prepared, which has enhanced transparency and trust. To put this in perspective, the Target hack broke from an outside source on Dec. 13, 2013, but it took the retailer five days to follow with its own announcement and weeks to send notices to its customers. When 4.6 million Snapchat accounts were compromised, the company waited months before coming out to the public, causing outrage among its users.

Often, companies may not disclose a data breach for weeks or even months before announcing it publicly. A company executive's first instinct may be not to disclose anything until he or she has all the answers. However, when dealing with breached data that has been stolen from your customers, the company needs to come out within days of the discovery and communicate what it does know. No one expects the company to have all the answers right away, and as long as the spokesperson explains that the company is working with authorities to figure it out, customers and the public at large will be more accepting.

While there are laws that require companies to disclose a breach, timelines are vague, and state disclosures must occur in a "reasonable" amount of time. Disclosure is also dependent on what type of data is exposed (medical information, mandated under HIPAA, versus general information.) While companies should meet their legal obligations, they should also meet their moral obligation and be forthright and timely with what they know.

Disseminate easy-to-understand information effectively. One thing Anthem nailed is the resources it offered customers upon announcing the breach. It launched a dedicated microsite, anthemfacts.com, as well as a hotline that current and former customers could call to get information. Anthem also has a FAQ page with additional details.

What is more, the information was easy to read and understand. Content like this is useless if people have to sift through five pages before getting to the point and understanding how it affects them and what they can do about it. Also, the last thing people want when trying to get information is a rude or uninformed customer service representative. When Target was hacked, the company took a lot of criticism for customer service call wait times being too long, a Web banner on its website that could hardly be seen and written communication that was too complex to understand.

Bryan Scanlon, Global Practice Director at MSLGROUP, a strategic communications and engagement agency with a large information security practice, explains that customer advice is often thrown together as an afterthought to meet disclosure requirements. "Customers want empathy, and clear and helpful communications on exactly what should they do, what resources are available, and how can they minimize the impact. Make sure you push back on the lawyers to sound like—and be—human," Scanlon said.

Offer something to compensate and follow through. While companies can't buy someone's brand loyalty back, they can invest in some measures to soften the blow and show them that they care. While providing free credit monitoring comes with a price tag, it is the wise thing to do at minimum. After all, the company lost the data customers entrusted it with, so the company should provide a remedy. For retailers, it's an added bonus to offer an easy-to-use discount as an incentive to come back. Anthem has said it will provide credit-monitoring services, but after eight days since announcing the hack, it has not yet provided an explanation as to how to access these offered protections, causing some backlash from customers and elected officials.

Offer a sincere apology. This may sound basic, but it is often difficult for companies to do this, especially when they feel they have been taking proper actions to protect customer data. By apologizing, they are not admitting guilt or negligence—they are simply showing empathy and sincerity. In Anthem's case, CEO Joseph Swedish offers an apology on the homepage of its Anthem Facts microsite: 

“I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem.”

A poorly handled public response to a cyber attack can cause irrevocable damage. However, because of the frequency of these attacks, the public is becoming more desensitized to these occurrences, which might bode well for the breached. Studies show that while there is a sharp decline in reputation and revenue during the months following a hack, a recovery can be had.

For example, after the Target breach in Q4 of 2013, which earned the company an all-time low customer-perception score and cost about $17 million, the company ended Q1 of 2014 at pre-hack levels. So companies can bounce back, but not without intense media attention and customer dissatisfaction, especially if a company is perceived as not being empathetic and forthright or if it did not put adequate resources forward to rectify the situation.

Just because breaches are more common doesn't mean consumers will be lulled into complacency. Breached organizations still need to work to earn back trust while proving they are proactive with security and reasonable with customer data. If not, they will likely face an even greater PR storm, along with lawsuits. The mantra in the public eye is still "guilty until proven prudent." While Anthem came out of the gates with a strong start, it appears things may be taking a turn as it lags in following through on some of its promises. Only time will tell if Anthem can weather the gathering storm.

Anna Keeve is the senior public relations specialist at ESET, a global cybersecurity company with its North America headquarters in San Diego, Calif.

Follow @ESET and @AnnaKeeve.