You are the victim of a breach and data has been stolen. You will feel violated and helpless.
And more, you are deeply embarrassed because although you are a victim you know some of your staff and clients will think you’re the villain; they are the people who trusted you with bank details, medical records, confidential financial details, market sensitive information, and more.
It’s a credit to you that you are deeply concerned about the theft and the impact on your stakeholders. Based on a wide body of evidence and our own experience, the upside of being upfront about the downsides of the theft will make you more trustworthy. Alternatively don’t be tempted to withhold information, as a breach of trust is long remembered.
Our suggestion is to view this experience as an opportunity for your stakeholders to observe your values. It’s confronting, because every step you now take can erode or build trustworthiness.
The rule-of-thumb should be, ‘What would your victims want to know?’.
The choice about transparency is taken away from directors and executives if the breach is reportable under the Australian Notifiable Data Breaches Scheme of the Privacy Act. A breach is reportable if the stolen information is “likely to result in serious harm to any of the individuals to whom it relates.”
The transparency decision is tougher if the theft does not need to be reported under the Act; arguably if you are undertaking due diligence on another company and commercial-in-confidence data is stolen, or privileged information mid-court case is stolen. The temptation to keep things quiet in the short term can lead to longer term problems if those affected find out at a later date from a different source.
A Matter of Trust
The material can be valuable to criminals.
The temptation is to underplay the event, but many stakeholders will suspect a cover-up if a ‘warts-and-all’ assessment of what has happened is not given. A comparison example is when we watch politicians; those who admit the bad with the good are generally more trusted.
Above all, you should treat, and be seen to be treating, this matter seriously.
Some Unexpected Steps
Data breaches are complex and involve external support from forensic investigators, lawyers, and communication specialists. The communications strategy you employ will be complex and here are some perhaps unexpected tips that apply in some situations:
1. It will seem counter-intuitive but consider not closing the breach until your forensic investigators have done their best work; your stakeholders will ask, and investigators may be able to find out more, about the thieves if the breach is still open.
2. Put together a nimble crisis team to work discretely, and on a temporary basis do everything you can to prevent rumours. Rumours erode trust.
3. Plan the timing of the announcement. There is a fine line between going too early with too little information (creates distrust), and going too late (also creates distrust).
4. Consider having lawyers analyse the stolen data, rather than internal staff. That way, if there is sensitive data, you can reassure those affected that you have not seen it
5. Plan a tight timeline for the announcement. Coordinate the simultaneous release of key messages to stakeholders. Again, at issue is information leaks to key stakeholders, before you have a chance to be first-informers.