Your brand's data breach will be a 72-hour sprint. Are you prepared?

With British Airways facing a record US$229 million GDPR fine, and Marriott facing a US$123 million GDPR fine, media are speculating about who might be next to be fined as a result of data breaches. Wise business leaders will look close to home since today’s reality is that there are two types of companies: those that know they have been hacked and those that don’t. The message is clear – expect severe consequences when things go wrong.

The UK regulator noted that both companies had co-operated with the investigation and had since made improvements to its security. Clearly, however, cooperation and post-facto improvements are not enough to insulate a company against hefty fines and a high-profile public shaming. Companies must be prepared for the inevitable breach—and for the inevitable fallout. While the financial penalties can be eye-watering, the loss of trust can be a higher price to pay. But do customers really care about data breaches? Data suggests they do.

Edelman’s 2019 Trust Barometer Special Report - entitled "In Brands We Trust?" - found that 55% of consumers agree that it is becoming more important to trust the brands they buy because of data privacy concerns, brands’ ability to track and target customers, and brands’ use of artificial intelligence in customer service. People also expect companies to be mindful of their data. In the 2019 Edelman Trust Barometer, more than half of respondents globally agreed that CEOs can create positive change in data privacy.

Trust is one aspect, behaviour is another. Our analysis of many similar data breaches shows that sales are rarely impacted in the immediate aftermath of a crisis. The truth is that while people absolutely value data, they are also relatively forgiving and realistic. Bad things happen, and yes, trust will suffer, but the real harm is caused by the mishandling of a breach. As with so much in life, it’s not about the mistake you make, but how you handle it.

While breach prevention must be a top priority, handling an inevitable breach is arguably of higher importance. So why have so few businesses tested their readiness for things like their ability to handle a 1,000-fold increase in customer communications overnight or their ability to quickly and proactively deploy information to their customers? Many businesses wouldn’t be able to tell you which countries they have a GDPR notification requirement in, and fewer still have an emergency protocol to inform and reassure staff, the most important audience for business continuity at a time of crisis. 

None of these vulnerabilities can be assessed or mitigated overnight, let alone in the 72-hour timeframe mandated by GDPR. It takes time to adequately prepare for when, not if, a data breach occurs.

Here’s what matters most:

• Independent, forensic investigation is a must. The single most important thing is to re-secure systems and understand the nature and scope of the breach.
• It takes a village – building consensus around protocols requires in-house teams to be prepared to work with lawyers, insurers, investigators and PRs.
• Businesses need to be able to describe in plain language to those affected what has happened and what is being done to fix it. The tone must be human, empathetic and genuinely apologetic.
• Know your stakeholders and who needs to be engaged and when. Don’t underestimate the complexity of mapping out these groups if you operate in numerous jurisdictions.
• Ensure robust customer service support across relevant channels and never underestimate the volume of inbound enquiries generated by a breach.
• Don’t turn your back on employees. This group has the potential to make or break a business during a breach, and there’s a high chance they will also be victims of a data breach.

Risk mitigation is becoming routine because companies recognize they will experience a data breach. Investment in IT infrastructure to protect company data is evidence companies are wising up to the inevitability of a breach. But the long tail of a crisis is determined by how it’s handled in the first 72 hours. Reputations are fragile, and most companies are woefully underprepared to protect them. Getting your house in order now and building up a little muscle memory can mean the difference between being the headline and retaining customers.

Adrian Warr is the managing director at Edelman, Hong Kong. A copy of the special report mentioned in the article is available for download here.