Transporting secure data is a risky business, and one where those doing the transporting are assumed to be competent, careful and concerned. But, judging from the rash of
security breaches in recent months and years - including one in which 40 tapes of Time Warner's secure data quite literally fell of a truck while being transported by data storage
company Iron Mountain - proper care isn't being taken, and that's not even taking criminal security breaches into consideration.
Given this trend of secure data in danger, coupled with Americans' growing concern for privacy, what is the impact of security breaches on companies, constituents, news
coverage and, above all, communicators? According to a recent study by the CMO Council (in collaboration with Symantec and Factiva, and in a media partnership with PR News), the
implications are ominous. The "Secure the Trust in Your Brand" survey, for which Factiva monitored the media impact of data security breaches across 10 U.S. corporations, revealed
that only 29 percent of respondents (both marketers and business executives) said their companies had a crisis containment plan in case of a security breach.
The statistic certainly justified the eyebrows it raised, considering the swell of security breaches among business organizations - and their impact on trust and brand erosion
- but it also begs for closer scrutiny. For example, while security coverage of specific companies that suffered a breach accounted for more than half of all stories written about
those businesses in 2005 (see chart 1), there is little evidence of preemptive action being taken to avoid such mishaps in the first place.
But despite the apparent danger of compromised data to the general public, that same general public seems relatively unconcerned - or so says Jim Lukaszewski, chairman and
president of The Lukaszewski Group Inc. (who, coincidentally, was the victim of identity theft on two separate occasions).
"It's amazing how little the public seems interested, how little fear has occurred," he says. "It's not a case for which you can find a victim."
But although there may not be individual victims to find among the public, victims take form in the companies that find themselves in the news for security breaches that were,
more often than not, accidents. But accidental or not, it's still a blow to corporate reputation and public trust, and communications, marketing and PR professionals spearhead
recovery. This raises the question: What is the ideal communications response to security breaches?
The answer, of course, isn't cut-and-dried, as crisis plans are often made to be broken (see page 2, "When It Comes To Preparedness, Crisis Plans Go Up In Flames"). However,
there are steps that can be taken to rectify problems, as seen by the CMO Council survey analysis of the 10 companies and the lessons they learned the hard way:
- Come clean first, send out a search party second: Even though breaches often don't result in actual threatened security, companies must communicate the event to the
affected parties. It's a matter of transparency, but, more recently, it's also a matter of obeying the law. Legislation now requires businesses to inform consumers whenever their
data is no longer secure. Keep a crisis secret and you're a bad PR manager; keep a security breach crisis secret, and you could be imprisoned.
- Nix the trickle-down effect: Don't make the same mistake ChoicePoint did when its communicators decided to send out word of its security breach in phases, initially only
speaking to California residents. Technically they acted lawfully, but public pressure required the company to come back to the issue and address a larger public, which made it
difficult to put the crisis behind them.
- Make the message count: ChoicePoint also serves as an example of what not to do when it comes to messaging. The messages of credit coverage the PR team tried to communicate
were overshadowed by conflicting examples of poor information on the corporate Web site and poor customer responsiveness. Bank of America, on the other hand, not only focused on a
message of openness, but also went beyond legislation requirements to be as transparent with affected parties as possible. Time Warner's SVP and chief security officer Larry
Cockell issued a letter to employees detailing the measures being taken to address the problem, which included a credit protection program paid for by Time Warner.
- Preparedness is key: Lukaszewski emphasizes the benefits of anticipating a security breach before one ever takes place. "At the root, they are representative of scenarios
where communications should take preemptive action to protect data," he says. The best defense is for PR to maintain a close relationship with the people who manage the data.
Whether security breaches are becoming more regular or it's just a matter of increased media attention, communications executives must understand the implications such crises
can have, not just on the company's reputation, but on the industry and the macrocosm as well (in the form of legislation, etc.). (See chart 2) The above tips will kick-start an
effective plan of action, but if all else fails and data is at risk of falling off the proverbial (and not-so-proverbial) truck, there is always a fall-back plan, Lukaszewski-
style:
"Shut the damn door."
(For the full CMO Council survey report, visit http://www.cmocouncil.org.)
CONTACT:
Jim Lukaszewski, 914.681.0000, [email protected]