Most everyone has received one of those dreaded notices that delivers ominous news. “Your personal information has been compromised.” No matter how they say it, our thoughts race to the implications and how quickly we can act to mitigate the damage. Then, a multitude of other questions arise. So how can a business or nonprofit organization help us lessen the anxiety around the situation? For some, it might be tempting to grab a six-pack. Instead, I’ll offer a six-pack of best practices including basic expectations that we have as consumers and how you can meet or exceed our expectations.
Experiencing a data breach is no fun on either end of the transaction. However, as consumers we are often in the dark about the specific details of the event. The organization with which we have the primary relationship may not be directly responsible, but they do need to be our advocate, offering assurances and transparency when impacted. These six communication tips will help protect your reputation and serve to strengthen any trust that may hang in the balance.
You owe it to your customers, clients, patients, donors, or associates to let them know about the event as soon as possible. This doesn’t mean you take weeks or months to provide the information while you craft a message that makes excuses or promotes your image. Address the situation immediately, directly, and offer a timeline for when more detailed information will be available.
This approach demonstrates that you are concerned, and care enough to provide me with prompt notification so that I might be more aware of the exposure and watch transactions and credit more closely. With today’s technology the hacker can conduct instantaneous transactions, so why should I be at a disadvantage by finding out months later? Time is of the essence.
The reporting of a data breach is no time to be playing the blame game. Guess what. Consumers don’t ultimately care about the who, what, why, or when but they do care about the how. How does this impact me, my credit, my exposure, my account, etc.? The fact that it was the fault of a vendor you selected really doesn’t matter much to a consumer. Their information is still out there and it’s because of their relationship with you that it happened.
In general, consumers will appreciate acceptance of responsibility for the relationship, expressing the value of that and apologizing for the inconvenience the situation has caused. They’ll see through the veiled marketing and public relations slants and appreciate the direct response.
Forget No Comment
Forget the words “No comment” when it comes to a data breach. If it happened, it happened. You need to have a statement prepared, even if it is a very basic admission that you are investigating the incident with more details to be provided later. The truth will come out and you will be viewed more favorably if you don’t try to cover up the event or limit its impact. Accept it, acknowledge it, express your regrets, and move on.
“Keep it real” has never been more appropriate. Many of those impacted won’t understand the jargon and technologically charged statements. Put the event in layman’s terms and speak to the customer who has no knowledge of the ins and outs of the process. Use words that evoke comfort, reassurance, concern, and activity. We understand, we feel, we can appreciate, we have acted, we are actively monitoring, etc. etc. Show that you are genuinely empathetic and are impacted as well.
Monitor & Respond
Once you have made an official statement be sure to monitor the traffic related to the story. Be prepared to respond and correct any erroneous statements or beliefs. Involve your marketing and public relations experts in handling the situation and be certain to coach your associates on appropriate responses and the narrative around this specific event.
Establish Your Plan
Dealing with the loss of data should be part of your crisis communications plan. Know and discuss in advance who will say what and when. Decision making should not be taking place during a crisis, when rumors hit the street, a social media post goes viral, or contacts roll in from traditional media. Your organization needs to have the plan in place well in advance of the event occurring, whether it is a natural disaster, employee infraction, or outsider attack. Establish the plan, provide a forum for its discussion and updates, and ensure preemptive activation.
It will always be challenging to deal with the unexpected in our businesses and nonprofits. However, it does not have to impact the relationships we work so hard to establish. Put yourself in your clients’, patients’, donors’, or associates’ place. Provide timely answers in a genuine way and you can weather the storm a data breach brings.
David J. Fry, MPS,CDT is Founder/CEO of Effective Advancement Strategies in Greensburg and author of Purpose in the Darkness, He consults with businesses and nonprofits throughout Indiana. He may be contacted at firstname.lastname@example.org