Sephora’s latest cyber attack: Why PR needs to be in the conversation early on

Data breaches are becoming a commonplace in today’s digital world, with companies such as Instagram, Yahoo, AIA Singapore and F&B operator Spize. Most recently, Sephora was also hit by a cyber attack that impacted consumers across Southeast Asia, Australia and New Zealand. Sephora has since apologised and reviewed its security systems. It is also offering a complimentary personal data monitoring service through a third-party provider.

When faced with a data breach, the first question that comes to mind is whether companies should inform those affected and the public about the loss of data – and risk the backlash. Asia PR Werkz’s founder and managing director Cho Pei Lin, who has managed more than six data breach incidents in the past three years , told Marketing that an ideal data breach management team should include lawyers, security technology experts and forensic gathering experts.

“It is definitely critical that a representative from the PR or communications team be part of the data breach management team, as time-critical decisions must be made and executed on the PR front,” she explained. Cho added:

The PR plan is really a subset of this data breach management plan.

Planning to manage a data breach is best done before the breach happens. This means that organisations should have a robust data breach management plan in place which takes into account their business processes and needs, she said. According to Cho, more clients are involving the agency in the creation of a data breach management plan and participating in regular breach simulation exercises to better prepare themselves for responding to data breaches in a prompt and effective manner.

While some companies might consider the option of having a data expert speak on behalf of the company during a data breach, Cho said this “may not serve any useful purpose immediately”. Instead, consumers will be more assured knowing that the breach has been contained and security measures are in place to ensure that there will not be another attack or continued breach.

“One must not forget that data is not like physical goods. Physical goods can only be stolen once, but data can be stolen repeatedly by different hackers. Thus, it is more important to reassure those affected that their data is now secured and the likelihood of another breach is low,” she explained.

Agreeing with Cho is Ivlynn Yap, Citrine One’s managing partner and crisis communications lead counsel, who said external stakeholders ought to be engaged only to neutralise the issue by giving a professional and neutral assessment of the crisis occurred but not to speak up for the brand. She said:

In times of crisis, it is best for an internal spokesperson to speak up for the brand to maintain the credibility and trustworthiness of the information shared.

The two key spokespersons to speak for the brand regarding a data breach or failure of digital security cases ought to be the regional chief or country head and the head of IT, she said, adding,”Focus on providing facts and not opinions.”

“Get the 5W1H (5 why’s and 1 how) and the extent of the incident out the soonest possible, followed by the call for action to contain the crisis. Thereafter, conduct a post mortem to find ways to mitigate and prevent a recurrence. Being transparent, truthful and sincere go a long way in building trust,” Yap said.

To allay consumers’ fears, affected companies can produce a video featuring their head of IT explaining the situation, ways to resolve it, and update affected consumers on the progress of the recovery initiatives undertaken. Following that, crisis audits should also be done at least twice a year to prevent such incidents from reoccurring, she added.

Response time is key

Although action has been taken, Sephora still took two weeks to respond and reach out to inform consumers about the issue, Justin Then, managing director, LUMOS Hill+Knowlton Strategies told Marketing. While the reason behind this remains a mystery, Then said this is a question Sephora will need to address very soon. Despite this, Sephora has followed the crisis and issues play book “to a T”, he said.

“In its communication to customers, it has ticked all the boxes based on the CAP principle – expressing care or concern to customers, demonstrating the appropriate action to be taken, and finally putting the whole saga into perspective by highlighting how the data breach is contained and not affecting other parts of the business or customer interface,” he explained.

Depending on the sensitivity of data at hand and the nature of the business, companies should ideally conduct audits twice a year, Then said, with one audit that is more comprehensive and thorough to ensure procedures are in fact actionable. He added:

Too often, a plan only looks good on paper until it is put to the test.

Agreeing with Then, Lena Soh-Ng, CEO, Huntington Communications said regular crisis audits should be prepared to stress test systems. Carefully crafted and comprehensive response plans are essential. This involves planning for the worst possible worst-case scenarios, determining which stakeholders would be affected and how, Soh-Ng explained.

She added that generally, customers like to be in the know. More often than not, it is not a formal apology they seek, but the company’s transparency and genuine desire to rectify the issue.  Owning the mistake and ensuring clear communication is key to building trust, Soh-Ng said.

“While data breaches are sensitive and can generate widespread unhappiness, companies who take to the discussion pages can intercept sources of inaccurate information and extend their genuine remorse for the incident. Organisations should also reply to the negative comments,” she added.

External stakeholders can help regain consumer trust

While some industry players believe external stakeholders should not play a major role in the crisis management, Soh-Ng said in the case of a data breach, there are companies in this space that can provide perspectives. These include types of threats at the time, processes that companies have undertaken and put things in perspective for the media. Companies do not have to tackle the issue all by themselves, she said, adding that apart from data forensic companies, external stakeholders can also include industry associations and consumer watchdog groups.

Take a page from SingHealth’s book, Singapore’s largest healthcare institution, Soh-Ng said besides a statement from the government, the Cyber Security Agency also disclosed thoughts in a review of the public sector’s cyber-security policies together with the Smart Nation and Digital Government Group. She explained:

The provision of multiple external opinions served to add greater assurance to the audience.

Also weighing in on the issue is Jojo S. Nugroho, managing director, imogen public relations and digital, who said companies impacted by a data breach should get experts to speak up for them. Doing so enables them to better explain why such an incident occurred, how they are managing it, how data breaches are inevitable in this digital era, and convince customers that they have taken the right steps to overcome the crisis.

“When such statements have been disclosed by data experts, customers will more likely believe them rather than statements declared by [the company’s] representatives. From there, the company can regain consumers’ trust,” he said. To prevent further occurrences, Nugroho said a standard operating procedure (SOP) rehearsal should be done at least annually.

(Photo courtesy: 123RF)