Login to RM Magazine
Print This Article
Save To My Articles
Email This Article
 
RIMS - Magazines
Vol. 55 - Issue: June 01, 2008 Managing a Data Loss Crisis

by David Bartlett and Larry Smith
Managing a Data Loss Crisis

Any organization that believes it is immune to a serious data breach should review the statistics. So far, the damage to U.S. companies and consumers from data loss and theft in all its forms is equal to the GNP of an oil-rich Middle Eastern nation: $56.6 billion in 2005 and growing rapidly. More than one in four Americans had their personal digital data exposed between 2005 and 2006. More than 75% of companies in a recent survey reported they had been exposed to security breaches engineered by high-tech fraudsters, up from almost 25% of companies a year earlier.

The list of victimized organizations reads like a who's who of U.S. institutions, including names like Georgetown University, Starbucks and the Veterans Administration to name just a few. Data breaches have grown to unprecedented proportions. Attrition.org estimates that, as of February 13, 2008, over 310 million records had been compromised worldwide. The Identity Theft Resource Center reported 446 data breach cases in 2007, more than 140% higher than 2006. Already in the first quarter of 2008, there were 167 data breaches reported, compromising more than 8.3 million personal and financial records.

The astonishing number of data breaches in just the past few years has established data security as a significant risk management issue for 2008 and beyond. Just three years ago, data breaches represented an untamed frontier of crisis communications. Today, the fundamental elements and best practices are being articulated and refined-and intelligent organizations (including universities, government agencies, banks, accounting firms, small businesses and large corporations) are incorporating data security into their overall crisis preparedness plans.

Essentially, data loss is no longer a question of what if? The only remaining question is when?


Planning for data loss and theft is different than other risk management techniques for at least two fundamental reasons. First, the whole notion of personal control comes into play in a way that is unique to-or at least particularly underscored by-data security concerns.

Some customers still worry that any personal data they provide online will automatically be at risk. While their concerns are understandable-and often justified-it is worth remembering that those same customers probably have no concern whatsoever about handing their credit card to a waiter or waitress who then disappears from sight entirely.

Because most people do not really understand the inner workings of the internet, they do not feel in control. That feeling of not being in control amplifies the perception of risk, regardless of whether it actually contributes to the risk at all.

Such behavioral variables and stubborn mindsets raise the stakes for companies grappling with an organizational data breach. If consumers do not trust the security provided at the point of sale, they will not buy. If employees do not trust their organization to protect them, they will not stay long. And if prospective students do not trust a school to keep their personal information out of the wrong hands, they simply will not apply. With report after report of high-profile data losses making headlines, public trust in the security of online databases is diminishing. The bottom-line consequences, conversely, continue to multiply.

The lesson here is that data breaches must be rapidly and proactively managed by deploying a specific communications strategy that will reassure current or potential stakeholders that the controls are effectively in place.

Outside actors play an unusually large role in affecting how security breach problems and solutions are perceived. These actors (usually malefactors) both exacerbate the crisis in the short-term and offer organizations a strategic solution in the long-term.

Actually, only a small fraction of the information improperly exposed every year as a result of data breaches is ever used for criminal purposes. Just because a hard drive containing personal information about thousands of people turns up lost or missing does not mean that the information ends up in the wrong hands.

Paradoxically, however, such "innocent explanations" can be more problematic for an organization, especially as it relates the public's very human need for control. If there are no criminals involved, then the systems themselves must be faulty; things fall apart, and none of us will ever be able to completely trust the storage mechanisms that are supposed to safeguard our personal identities.

To be sure, a thief in the form of a rogue employee is immediately very threatening. What is he or she going to do with our social security numbers and banking data? The grim prospects, including wholesale identity theft, can cause a panic, yet the organization from which the data was stolen may face less of a lasting confidence problem. After all, the organization can restore control once the criminal is stopped or apprehended.

Every organization-corporate, nonprofit or governmental-can be victimized. If it is prepared to publicly respond to the breach and effectively communicate how it will address current customer losses and prevent future problems, the public is given the kind of closure that it cannot get simply from reassurances that a random systems failure will not happen again.  

We have seen similar dynamics in many different sorts of crisis management situations. Of course, the classic case is Johnson & Johnson, which was able to reassure the world that a tragic and dangerous situation was under control specifically-and counterintuitively-because a lunatic was menacing the Tylenol racks. The company, along with the public, was a victim of criminal activity, and once the evil actor was stopped, everything would be fine again.

Data breach scenarios are similarly driven by this victim/victimizer dynamic. In these cases, systems will also return to normal once an anomalous situation is rectified. Here too, organizations can reinforce their crisis communications strategies with a palpable sense that they are in the same boat with the very stakeholders they need to reach. It is, in other words, a battle that organizations can win if they are quick enough and smart enough.

What, specifically, does being quick enough and smart enough mean?

First and foremost, it means transparency. Organizations facing a data loss crisis must be prepared to disclose everything about the data breach, including timelines and the immediate action taken toward containment and damage control. If the organization can do this before anyone else does-especially the media or the blogosphere-it will maximize its control of the story going forward. Rest assured, the story will come out eventually, and if the organization does not tell it first, the world will wonder why. What did it have to hide?

Second, it requires credible expressions of concern, commitment and action. At the outset, the organization should apologize to all who have been affected, while recognizing that there is a potential contradiction here. After all, why should an organization apologize if it is also a victim? In this situation, the messaging needs to be fairly nuanced in order to capture both positional advantages. On the one hand, express regret that people have suffered or been inconvenienced on the organization's watch, and on the other hand, express disappointment that the organization's standards have been violated.

Third, a "quick enough and smart enough" response requires legitimate deeds as well as words. For example:

  • Provide affected stakeholders with a no-cost means to monitor their credit after a breach. It is a cost of doing business in the Internet Age.
  • Exceed the requirements for disclosing the breach. If the law only requires disclosure in the states where affected consumers live, consider disclosing nationally as a confident gesture of good will. Launch internal investigations.
  • Ideally, the self-surveillance should reach as broadly as possibly, even beyond the specific systems and departments involved.

The organization's relationship with law enforcement and regulatory agencies is critical. If possible, coordinate every press release with those agencies and enlist the investigators as allies so that the company is part of the solution-not the problem-at the highest possible level.

Such effective risk management can actually transform crisis into opportunity. With enough resolute, proactive effort, organizations that have been been data breach victims are in a unique position to brand themselves as leaders in protecting personal privacy. They can talk about enhanced hiring procedures, amended privacy policies and corrected IT loopholes. The public generally supports those that have learned their lessons. In fact, it will look to them for leadership in the next crisis.

A case in point is the data aggregation company ChoicePoint, which from 2004 to 2005 was the national poster child for massive data breaches after identity thieves gained access to 163,000 customer records. Soon thereafter, the company got off the mat, launching aggressive and persistent messages on what it was doing to remediate this global problem. The company initiated dialogue with numerous privacy experts and academics. Online posts by the firm were straightforward and seemingly transparent, marshaling evidence of the specific corrective actions that were being undertaken. By September 2006, a Gartner Group report was asserting that "ChoicePoint has now become a role model for protecting customer data privacy."

Leading experts predict that data loss and theft will grow exponentially before the decade is through. The magnitude of the risk is no longer an uncertainty. It is a reality of doing business and must be treated as such.

Risk management is essentially about managing these issues. Crisis management plans that address these grave concerns must prepare organizations to be transparent, cooperative and proactive. Importantly, those plans must operate as part of a larger security program rather than an ad hoc exercise after the breach has already occurred.

Data loss and theft are not uncertainties. We cannot just hope that the coin toss will land in our favor. A crisis will occur. When it does, our readiness will be tested.


David Bartlett is senior vice president of Levick Strategic Communications and manager of the firm's public affairs and regulatory practice group.

Larry Smith is senior vice president of Levick Strategic Communications and co-manager of the firm's professional services practice group.

Risk and Insurance Management Society (RIMS) · 1065 Avenue of the Americas · 13th Floor · New York, NY 10018 · Phone:(212)286-9292

© Copyright 2010 Risk and Insurance Management Society, Inc.