Breach Response: The Right WordsWhat to Say in the Wake of an Incident
Is there an ideal message a senior executive can deliver amidst breach response?
It boils down to honesty and a sincere commitment to address the issues.
Global is the seventh-largest U.S. payments possessor, handling billions of credit and debit card transactions between merchants, banks and consumers. On March 30, Global announced an identified breach in its processing system, involving an estimated 1.5 million accounts. On April 2, CEO Paul Garcia discussed the breach during a conference call with market analysts and journalists.
"We are making significant progress in defining and rectifying the event," Garcia said, describing the breach as "contained." He later said about the incident: "This is manageable ... we will get through this."
I am no PR expert, but I wonder if this message is enough to reassure shareholders that the company is doing everything to get back on track. What does "manageable" mean in this context? And does Garcia's message really address his customer base and how their issues will be resolved going forward?
1.5 million may represent only a fraction of Global's card numbers, and perhaps seems 'manageable' to Garcia. But Scott Patterson, public relations head for the Association of Certified Fraud Examiners, a global anti-fraud organization, has a different perspective.
"To us, it's still a huge number - and when I read it, I worry: Am I one of the 1.5 million?" Patterson further adds that Garcia's message was more an acknowledgment that a breach happened. "There was no clear admission of failure, and there were no reassurances to people on what does this all mean," he says.
A breach response message needs to provide as much information as possible for customers whose records were breached, so they are in a position to take action to protect their credit information. "The company would want to assure members of the public who are doing business with the company that their personal records will be safe going forward," says Lucy Thomson, a privacy advocate at CSC, a global IT information company, as well as chair-elect of the American Bar Association's Section of Science & Technology Law.
So, what should be an executive's appropriate response amidst a breach?
"There is no ideal and one right answer," says Mark Lobel, senior partner with PricewaterhouseCoopers. It largely depends on what the goals are of a company during a firefighting mode. "Is it to reduce the stakeholders' concern, address the public to minimize damage, or both?"
At minimum, an executive's response during a breach situation should be:
- Comprehensive: The message should isolate a certain level of detail on the cause of the incident, what specific mechanisms there are in place to address the breach fallout and "some kind of admission of the problems faced," says Greg Thompson, VP at Scotia Bank, and a member of (ISC)2 Board of Directors. "I think it boils down to honesty and a sincere commitment to address the issues."
- Frequent: Obviously a company will want to minimize negative publicity about the breach, but this should not be done at the expense of providing enough updates to assist the customers whose data has been breached. "The key is to protect the public's confidence in the company in the face of a breach by providing customers with periodic updates as further information about the breach becomes available," Thomson says.
- Forthright: There should be an admission in the message of problems faced and some sort of regret, Patterson says. His advice to companies is to not overplay the "stay positive angle," but instead communicate a little bit of contrition: "We are truly sorry to those customers who have been affected, and we are working hard to secure their data and rectify the situation."
Of course, constant vigilance is central to preventing security breaches, and in a perfect world such incidents would never happen. But given we live in reality, it's time for leaders to be prepared with effective responses to the worst of situations.