Our thinking

Top 10 cyber crisis PR fails (and how to avoid them)

In a crisis, especially a cyber crisis, it’s human instinct to reassure and tell your side of the story. Here's why it's essential to resist this urge.

In a crisis, especially a cyber crisis, it’s human instinct to reassure and tell your side of the story. We constantly see companies’ desire to give their customers a sense of security—often too early in a cyber incident and without the full facts. It’s essential to resist this urge for both legal and reputation reasons. Only disclose information that is certain, because if you say the wrong thing too soon, your customers will feel a lot worse later-on, when the story changes. 

Of course, it doesn’t always go that way. 

That’s why I teamed up with privacy attorney Tanya Forsheit at the IAPP Global Privacy Summit last week to talk about the “Top 10 Greatest PR #Fails in Data Breach Response” and how companies can avoid them. Our audience was a mix of Data Protection Authorities (DPAs), regulators, lawyers, and diverse corporate sector privacy professionals—all parties who would play a critical role in any cyber incident response.

We all know that the threat of cyber incidents is pervasive across organizations of all sizes and industries. They are no longer outlier events, but rather challenges that every company must prepare for and work to mitigate risk when a cyber incident strikes.

In our experience, a company’s response to a cyber incident is often more significant than the incident, itself. The response can define—or redefine—a company’s reputation with customers, with authorities, business partners, and employees. A lack of a timely response and clarity can hurt a company’s credibility and create a narrative of mismanagement, leading to more concerns and challenges down the line. 

So, here are our Top 10 PR Fails:

  1. Saying too much too soon
  2. Saying too little too late
  3. Stepping in it on social media
  4. The tone-deaf CEO
  5. Forcing affected individuals to waive their rights to sue 
  6. Overpromising and failing to deliver
  7. The appearance—or actuality—of insider trading prior to incident announcement
  8. Careless internal communication without legal privilege
  9. Minimizing the impact
  10. Allowing vendors to speak for your organization

There are no do-overs in a crisis, and the best prevention is preparation. One audience member noted: You can handle 90% of what hits you when using appropriate incident response processes. 

Very true, which is why employee education and preparation is so critical. We should take a broad view of cyber safety awareness, from tips on how to create a useful password and identifying phishing emails to adherence to media policies. It’s also important to take care in how you communicate electronically in an incident—it’s likely you don’t know the full details and propagating inaccurate information can lead to confusion. As Tanya said, “Don’t put anything in writing that you wouldn’t want in Times Square.”

Ultimately, internal coordination is key to any incident response. Another audience member emphasized the importance of having a process for escalating a cyber incident internally so the right internal players are at the table from the outset—including communications and legal leaders. Small organizations and large corporations alike are forced to handle cyber incidents in the current environment. 

Those that handle the response without committing major PR #Fails will avoid the harsh public spotlight, maintain control of their narrative, and sometimes even get credit for a well-run response.