A data breach, by its very nature, will take a technology company by surprise and expose its brand to grave threats, both financially (loss of business) and reputationally (loss of trust because you will be most likely held at least partially responsible for what happened).
To better illustrate the point, let’s say you are a payments company with a good reputation in the market and solid market share. You’ve been enjoying robust growth since you launched as a startup and possibly even been a darling in the eyes of the tech media. But then one day out of the blue you discover that there was a massive data breach compromising sensitive financial data for your customers, which may number in the hundreds of thousands.
Fortunately, you have a crack IT team that swoops in and plugs the breach and begins a forensic investigation to determine its cause. You also notify the appropriate authorities and issue a carefully-worded email to impacted customers, perhaps thanks to you following a crisis communications manual you had prepared for just such an event. And of course you also reach out to the media because you would rather break the news yourself than have others do that for you. While you may have steeled yourself for some inevitable blowback, the media ends up being very critical of the breach. Seemingly overnight you go from a fintech innovator heralding a new way to conduct financial business to one who ‘dropped the ball’ when it mattered most.
The net result is that with all of that hard work to limit the damage by addressing the financial and other risks to your customers and following best-in-class communications protocols, you just suffered a loss of trust in the eyes of the public.
What comes next is every bit as hard. Here is why: A 2018 research report from by the Public Affairs Council asked Americans to rank a variety of crises and controversies in order of their perceived seriousness. Data breaches resulting in “personal information being stolen” came in at third from the top behind illegal campaign contributions and organizations ignoring workplace sexual harassment.
If that isn’t a wake-up call for your company to get ahead of a potential crisis, then this should add more urgency: The 2017 Cost of Data Breach Study conducted by Ponemon Institute and IBM surveyed 419 companies in 13 countries and found that the average value for the abnormal churn rate after a data breach was 3.24%. Some industries scored higher (i.e., were more impacted) than others. The highest abnormal churn rate is found in the financial industry, which came in at 5.7%. That equates to more than one out of twenty customers slamming the door on you.
So what’s a marketing executive to do following a data breach? The brand is tarnished but not toxic. It will very likely have taken a major hit to its reputation but all is not lost. Here are four parts of a reputation rebuilding strategy that can mitigate the damage and begin to recapture lost ground.
1. Organize follow-up efficiently
Customers will have many questions about what caused the data breach and how it may have impacted them. Take one of the best examples of a data breach in recent memory, that of Target’s infamous data breach of its point-of-sale systems in 2013 that compromised millions of customer credit card data on Black Friday, the company’s busiest shopping day of the year. The Q&A that Target created for its customers in the aftermath is still up today and perfectly illustrates the kind of questions that you will typically receive after the initial crisis has transpired.
All of the questions and concerns from customers will have to be addressed promptly and accurately. In the case of Target, the company decided to offer one year of identity protection and credit monitoring to all of its U.S. patrons following the data breach.
Organizing customer support, which could include a dedicated call center or small department in the communications department, in a frictionless manner will make for a good start toward regaining the trust of customers. Anything that makes the process challenging — filling out multiple forms, waiting for return correspondence, obtaining approvals, etc. — will frustrate customers and only amplify the reputational challenge.
2. Talk with your employees
Employees need to be informed about what happened and what the company is undertaking to help customers inform themselves and receive any support and restitution due to them. Explaining to your employees the who, what and how surrounding the data breach will prevent them from losing trust in the organization they work for.
Also, your customer-facing employees will receive a lot of questions from concerned patrons. Your front-line employees will need to become brand ambassadors as they will play a crucial role in helping your company address questions from customers in a way that projects both empathy and control. The better informed your employees are, the better they can perform that crucial role.
And lastly, we recommend talking with, not TO your employees. Allow for your employees to vent their frustrations and concerns, and to ask management critical questions. This is especially important for those scenarios in which your company receives a large part of the blame for what happened and may even be villainized in the public eye. It’s through dialogue with management that employees will be able to digest what happened and move on as an organization
3. Share positive stories
As mentioned in my introduction, you will most likely have suffered a loss of trust among key stakeholders after a data breach in most any scenario imaginable. The crisis will have put you in a bad light and trying to “own” the crisis will only extend its coverage and continue to remind people of what went wrong (and, by extension, what they think you did wrong).
Just because the crisis occurred doesn’t mean that story should be the only thing the public hears about for months and even years to come. Once the crisis is under control and the crisis communications team has finished its work, it’s time to return the business of growing the company, and restoring any brand equity that may have been lost.
A themed messaging exercise will help you identify which positive narratives you can communicate to help rebuild your brand. You might want to share that you will be hiring people (employment!), are installing solar panels to run your operations on non-fossil fuel (sustainability!) or that you are introducing a new hitherto unseen service (innovation!).
Sharing a steady stream of upbeat news about your company will appeal to the hearts and minds of your customers and other stakeholders. The flow of content on your website, blog, social media, etc. will gradually flip the negative brand narrative to positive. Any upbeat media coverage will also further serve the practical purpose of making online queries about your company no longer return the data breach as the top organic search item.
4. Listen to online conversations
Perhaps it goes without saying but you should be doing this all of the time. If you haven’t, now is the time to kick off an online listening program. Find out what are people saying about the crisis in comments on your Facebook updates or on Twitter. How has the narrative on your Wikipedia page, if you have one, changed since the data breach? The goal of the monitoring program is not to “spin” the story, let alone censor critical remarks. None of these two approaches will help your repair your brand. Your monitoring program should be geared towards collecting valuable intelligence on the conversations that are happening so you can incorporate these findings in how you communicate with customers and other stakeholders. It’s also important to monitor conversations and intervene as needed to correct potentially erroneous information that may be circulating. A false claim can easily spin out of control and do untold damage to a brand’s reputation.