The Biggest PR Mistake in Privacy and Data Security Incidents: An Interview with PR Expert Melanie Thomas

15/08/2014 09:33

It happens all the time. An organization has a privacy incident or data breach. The news stories proliferate. Cries of “shame on you” reverberate across the Internet. A number of organizations have an incident response plan, but they often don’t have much of a plan for PR. Certain incidents can take on a life of their own in the media, like a sudden tornado that swoops in and leaves devastation in its path.

Melanie Thomas is a PR expert who focuses on privacy and security incidents. Her firm, Inform, seeks to help clients not only with post-incident PR, but also pre-incident PR preparedness. Melanie is an evangelist for PR preparedness before an incident occurs. Melanie has more than 20 years of PR experience working with a wide array of types of PR and for many of the world’s largest companies. Her firm has been focusing heavily on privacy and security PR.

At many privacy/security conferences I’ve attended, the topic of privacy/security incidents often comes up, but little time is spent discussing PR, other than the common refrain that post-incident PR is a very big challenge and often could have been handled much better.

I conducted this brief interview with Melanie because I think her views on privacy/security PR are enlightening and helpful.

Solove: What are the biggest mistake companies make in their communications efforts following a data breach?

Thomas:I think the biggest mistake companies make is simply not being prepared. People falsely assume that they’re prepared because they ran a drill four years ago. They also assume they’re insulated from a crisis like a data breach because they have a solid IT team. Worse still, they think they can figure it out at the time a crisis hits. That’s like playing roulette. The facts are these:

  1. Crises take many forms, many of which you probably never thought about. Are you prepared for: data breach, cyber attack, third-party breaches, employee sabotage, employee error (the most common), supply chain disruption, weak earnings, natural disaster, terrorist attack, IP theft, disappointing clinical trials, disparaging social media chatter, lawsuit, employee layoffs, changing government regulations, and even employee and C-suite antics? You need to prepare for every conceivable situation. No matter how distant it seems.
  2. A crisis WILL occur when it is most inconvenient. Your attorney is on vacation, or it’s Thanksgiving, or your CEO is scheduled to speak at a conference – or worse, on CNBC.
  3. Crisis planning after a crisis occurs will lead to errors due to inaccurate information, panic, and chain of command confusion. People leave their positions, contact numbers change, regulations change, your spokesperson may prove uneasy in the spotlight. Don’t try to lead from behind.

Ask yourself: when is the best time to buy flood insurance—before or after the flood? Having insurance before you need it ensures you’re protected and you’ve thoughtfully considered your needs and best response. The same holds true for crisis planning.

Are there any other very big mistakes you see?

Thomas: One of the most unnecessary mistakes companies make is to expect their in-house team to manage a crisis situation. Your in-house team is critical to the daily functioning of your company. But don’t expect them to be masters of crisis, or specifically of data breach. The scope of their responsibilities is too great for them to be expected to know the evolving regulatory field governing data privacy and HIPAA, and be capable of adequate crisis response following a breach. Thorough crisis response requires professionals who spend their time following the evolution of the regulatory field, technology development and best practices.

Another major mistake I see is that companies either respond too quickly to a crisis, or too late. Timing is critical in crisis response. If you come out with comment too soon, you may not know the full extent of the damage, forcing you to revise your statement. Too late and it seems you are either avoiding responsibility, or insensitive to your customers’ plight.

Can PR really save a company when the breach is particularly prominent and has some ugly facts? Isn’t the media coverage just going to be really bad no matter what a company’s message is?

Thomas: Public relations can significantly mitigate damage in a crisis situation. A poor PR response can amplify the situation and cause additional damage to a company in a crisis situation. That does not mean you should EVER bury your head in the proverbial sand. Always take thoughtful action.

Consider the Target breach last fall: the PR response to what has become an all-to-common data breach situation made a bad situation a devastating one. The company went out too early with an assessment before a thorough understanding of the damage had been made. They miscalculated the number of customers affected; then they blamed a third-party; and then they revised upward the number of affected customers. They appeared unorganized and insensitive.

Give your team adequate time to conduct a thorough forensics assessment. In the meantime, have your CEO provide a holding statement that earnestly expresses regret and a commitment to remedy the situation. Make sure, however, that your spokesperson is media trained. He or she will need it.

Your firm has focused on the data privacy/security space. Are there special PR considerations here? How is this different from general PR?

Thomas: Data privacy and cybersecurity require a deep understanding of the industry sector, regulatory field, and breach remediation. Good PR about an incident depends upon working smoothly with privacy and security officials. PR must be able to jump right in and understand the types of concerns affected individuals will have, the types of questions the media will ask, and the way that various players from regulators to media to advocates to thought leaders will react. PR must have a deep knowledge of what went right and wrong in the PR about similar types of incidents in the past.

PR is also critical in brand recovery following a breach or other crisis. Corporate social responsibility, media road shows, op-eds and letters to the editors, or community relations’ boards can help repair brand damage. So, in my opinion, you really want to choose a highly-experienced, mid-sized generalist firm with interest and experience in data privacy and cybersecurity, a crisis preparedness training program, and crisis response capabilities -- a PR firm that can act as an extension of your in-house team. Look for one that’s focused on you, responsive, and worth the billable hour. You’ll know if it's the right firm if you see people from the firm at industry events learning alongside your privacy team.

What types of things should a company have to ensure it is handling PR appropriately? 

Thomas: For effective PR, companies should have:

  1. A Crisis Communications Plan – You should have a robust plan that considers your company’s vulnerabilities and a response scenario for each. Your plan should also include crisis captains, precise messaging and media training for every crisis scenario, a coordinated media outreach plan, a media war room and staff, and a media monitoring strategy.
  2. A Crisis Communications Team – Identify all people who will be involved in the PR during an incident and their respective roles and who will be making statements to the media
  3. Advice of Former Journalists – The advice of former journalists is essential, as former journalists understand how the media craft stories, and they bring relationships with existing news media
  4. Routine Assessments – Ensure your communications plan is effective and your team is prepared; check regulatory and industry updates because federal and state regulations change frequently. Stay abreast of how others are handling PR for incidents and learn from their successes and failures
  5. Training – Hold quarterly training to ensure that your team is prepared and that your plan is effective. Insist on continuing education for your PR team. Industry practices change, so too should your team’s practices.

Thank you, Melanie, for your thoughtful answers. Melanie Thomas's PR firm is calledInform

* * * * 

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. He is a Reporter on the American Law Institute’s Restatement Third, Information Privacy Principles. He is the author of 9 books includingUnderstanding Privacy and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove

The views here are the personal views of Professor Solove and not those of any organization with which he is affiliated.

 
 
 
 
 
 
 
Source:https://www.linkedin.com/today/post/article/20140811174234-2259773-the-biggest-pr-mistake-in-privacy-and-data-security-incidents-an-interview-with-pr-expert-melanie-thomas?trk=object-title



 

Marketers, Please Tell Me You've Got a Better Plan for Privacy by Sam Pfeifle


Consumers Don't Need to 'Stop Whining About Privacy.' They Need More Transparency.

As someone interacting with privacy professionals on a daily basis, I was struck by this recent column in Ad Age. It seems designed to provoke a reaction from those in the privacy community, particularly advocates, but the real fear is that this outlook may not be an outlier.

Essentially, the column is discounting privacy at its core, just as the general public is truly coming to value privacy as a brand differentiator. Maybe it's an argument we've heard before, but perhaps never in terms quite this stark: "Consumers should resolve to stop whining about privacy: Good marketers have always known where you live."

Truly, I thought "Give your customers what they want" was a pretty basic tenet. According to a recent report, 39% of consumers make buying decisions based on privacy, and 32% consider a company's privacy policies when deciding which website to visit or online service to use. Large, well-funded companies have literally gone out of business due to privacy concerns.

Marketers, you need to talk to privacy professionals about better ways to illustrate the data-for-service transaction. Just look at the examples in the column.Amazon's related items? They're generated by what other people -- who also bought that item -- previously purchased. Spotify's playlist? Perhaps they could come up with a fancy algorithm that identifies the other songs most frequently appearing in handmade playlists that include that song. And Netflix? It really doesn't seem hard to figure out that if our household watched "Thomas the Tank Engine," we also may be interested in some lovely "Strawberry Shortcake" episodes.

According to the Ad Age column, these types of personalized recommendations "simply don't happen without access to a consumer's preferences, age and local demographics." Why do marketers need age and local demographics data for any of that information? I think it's fair for consumers to wonder.

But the core of the argument is that this is the same stuff marketers have been doing for decades. Really?

To pretend like things aren't different now just seems, well, strange.

Marketers, I'm here to tell you: People do not think age and the location of their house is the same thing as a vast digital profile that includes the last 1,000 things they've purchased and the locations of everywhere they've traveled in the last 10 years and which things they've looked at online, but didn't buy, and on and on.

Sure, Sears has always targeted rural customers with their catalogs. But did they watch what pages people flipped through? Did they know which pages got dog-eared? Did they monitor and collate little Johnny's conversations with his friends about how much he wants a Red Ryder BB gun?

Somewhere between what marketers have always done and what we're capable of now there's a creepiness line. Privacy professionals are trained to help you find it, marketers. Talk to them.

They might point out that just because there are tools on the internet that make it easier for you to do your job, that does not justify their use. Just as the ability to easily make copies of movies and music doesn't make their theft fine and dandy, the ability to gather vast amounts of data through opaque methods as consumers navigate the web doesn't make them "whiners" when they say, "Hey there, hold up a second and maybe give me the option to consent to that data grab."

Marketers who have the sense to listen to customers when they "whine" and offer them fair exchanges that are transparent and easy to understand will be more successful: Some 64% of Americans think the government should do more to regulate advertisers. Nor are Americans likely to respond well to an argument that boils down to: "Trust us!"

Why would they? They've just lived through Target, Home Depot, JP Morgan Chase, Sony, Heartland, and a host of other data breaches. They've just been told that Facebook was experimenting with their emotions. That those Snapchat images didn't really disappear. That the flashlight app was collecting and selling their location information.

And the argument is that consumers need to take a leap of faith?

You know what leap of faith means? Allowing that something exists even in the face of no evidence whatsoever. If that's what marketers want a data exchange to look like -- consumers giving you personal data even though there's no actual evidence you'll use it correctly -- then that's just not a good plan for success.

Read more:http://adage.com/article/digitalnext/marketers-a-privacy-plan/296984/

 

How Marketers Should Prepare for and Communicate a Data Breach by Craig Swerdloff

30/03/2014 11:16

 

 

Incidents of data theft are on the rise, as are the costs associated with them. A 2012 survey conducted by the National Cyber Security Alliance and McAfee found that one in four Americans had been officially notified that key elements of their personal information had been lost. With the recent announcements of data theft and hacking at Target, Neiman Marcus, and Adobe, the former two being propagated by a teenager, this is a topic we will be hearing about a lot more.
 

Increase of Data Breaches Over Time

Source: http://datalossdb.org/statistics

 
The main driver of data theft is fraud. Armed with large amounts of personal data, criminals prey on unsuspecting consumers. With just a debit card and a PIN (personal identification number), criminals can electronically withdraw large sums of money from bank accounts in a short period of time. With a credit card number and an expiration date, criminals can easily make several purchases before the credit card company suspects any unusual activity has transpired. 
 
What can corporations do to minimize the damage that data theft poses to them and their customers? The first precaution is to have a plan in place before these incidents occur.  This will allow companies to act fast and avoid costly mistakes. Second, companies should be prepared to communicate the details of the breach to their customers. Early notification gives consumers the ability to cancel their debit and credit cards before criminals wreak further havoc. For corporations, early notification minimizes legal ramifications, and, perhaps more importantly, avoids further damage to the company’s reputation.
 
At least 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have laws requiring notification of data breaches. Certain states require notification within 30 days, leaving little time to waste in deploying a plan of action. Several measures must be taken in order to effectively communicate with victims, including: verifying email and postal addresses, writing the message that needs to be delivered, mailing notification emails and letters, and setting up a call center or other services specially for the purpose of informing affected individuals. Keep in mind, some states mandate specific content to be included in these notification letters. This often includes toll-free numbers and postal addresses for the three major credit bureaus, the FTC, and a state’s attorney general. Importantly, multiple state laws may apply to one data breach because jurisdiction depends on where the affected individuals reside, not where the business is located. If some affected individuals live in a state that mandates notification and others live in a state that doesn’t, everyone should still be notified so companies are not targeted for inequality. Furthermore, mishandling notifications can lead to additional consequences, including fines and other unbudgeted expenses. It could also further tarnish brand reputation and customer loyalty.
 
While some states mandate that corporations provide written notification via direct mail, the process can be slow and expensive. Corporations should consider a two-channel approach: quick notification via email, followed by a direct mail piece. Working with your Email Service Provider (ESP) will allow for fast and cost effective notification through the email channel. First, make sure your email database is up to date. Using a third party email validation service to identify and remove invalid email addresses before you mail, is critical to protecting your sender reputation with the ISPs (Internet Service Providers). Second, have your ESP reach out to Spamhaus and other blacklist providers to notify them of the upcoming communication. It is very likely that a significant number of your old customer email addresses have been converted into spam traps and you want to ensure your email regarding the breach does not land you on a blacklist.  Working with your ESP, an email validation vendor, and the major blacklist providers will ensure that your notification (and other) emails are delivered to your customers’ inboxes.
 
While data theft is on the rise, corporations that respond quickly and intelligently, and effectively communicate with their customers will minimize the negative impact on their brand image and revenue. The email channel plays an important role in notification, but marketers need to be aware of the potential damage to their sender reputation and their email marketing performance.
 
 

See more at: http://www.leadspend.com/blog/cswerdloff/how-marketers-should-prepare-for-a-data-breach?sthash.flqoRWEW.mjjo#sthash.flqoRWEW.QlLt7KFI.dpuf

 

The Big Issue Marketers Don't Want to Discuss, But They Must by Bryan Eisenberg

18/03/2014 22:16

It sounds like IT, not marketing! Data breach, identity protection, customer security – these are terms that never concerned marketers much. The breaches that retailers Target, Neiman Marcus, Zappos, and other brands like Evernote, Living Social, LinkedIn, and Adobe suffered have impacted the way consumers are interacting with brands. Security is now also a chief marketing officer’s (CMO) challenge – it is no longer only a worry for the chief information officer (CIO) or chief technology officer (CTO).

The challenge for marketers is not making sure the CTO has bought the latest firewalls and verified all third-party vendors; the real issue is that today it is not if your brand will be breached but only when it will be breached.

The Target breach that affected nearly 30 percent of all Americans has been keeping their CMO Jeffrey Jones up at night. Target’s data breach enabled the theft of millions of customers’ payment information had lowered fourth-quarter profit down 46 percent. The final cost will be significant but no one can quantify the exact damage to the brand. No amount of marketing or PR is going to change the anxiety that customers feel when they walk into the store and think about paying with their credit card for fear of paying with their identities being stolen. Cashiers can see and hear the anxiety but of course online marketers will never observe it.

Even before the Target breach and the NSA eavesdropping allegations, 66 percent of consumers expressed concern about identity theft, if the data they share with business is compromised. According to the Washington Post, Target has spent $61 million to cover costs associated with the breach, including the cost of providing credit monitoring services to its customers. Even the choice of credit monitoring may have an impact on the Target brand. Target chose to offer a service from the same company that sells customers’ data(Target happens to be one of their large customers as well) to also protect their customers’ data. Something about that just doesn’t seem right.

In fact, Consumer Reports severely criticized Target’s Experian offering by saying that the retailer’s free credit monitoring could give you a false sense of security and the offering just seems a way for Experian to upsell additional services. They have not been the only ones tocriticize Experian’s credit monitoring service; the community at the University of Maryland was shocked at what they found was going on:

The retailer said it couldn’t provide an estimate of how much the breach would ultimately cost because of an ongoing government investigation.

If the government’s probe finds Target at fault for not complying with industry-specific security standards, the company faces fines in the range of $400 million to $1.1 billion, according to an estimate by Jefferies, an equity research company. That figure did not include lost sales or customer goodwill, the firm said.”

To understand how much the retailer stands to lose, analysts point to the 2007 attack that hit TJX, of more than 45 million customers by exploiting an unsecured wireless network. TJX’s initial estimates put the damage at about $25 million, but once the dust settled, the company ended up paying more than $250 million.

Heading into SXSW, I know CMOs and senior marketing executives have customer security top of mind. In fact, I was chatting with my friend Pete Krainik, founder and chief executive (CEO) of The CMO Club, who shared:

“One of the hottest topics at recent CMO Club Dinners and on the minds of CMOs participating at The CMO Club House at SXSW, is the CMO’s role in both preventing data security and responding to data breaches. Their focus…[is] to minimize brand equity erosion and customer engagement. This is the new frontier of customer service’s impact on the brand.”

It’s a painful but serious topic, and one that every marketer should concern themselves with. If you collect data from customers, you are responsible for ensuring their protection and making sure they feel you are taking their identity protection seriously. As an advocate for the use of data, I’ll be at the CMO Club House and SXSW to talk about this serious issue and what marketers need to do to protect their brand.

Bo Holland, CEO of security firm AllClearID (who offers a solution), suggests, “Brands have the opportunity to stand out for proactively addressing it, and those who do not will very soon be far behind. Align your brand with the changing consumer mindset and be a leader in customer security.” If you want to learn more about what you as a marketer can do about customer security, check out this white paper.

Source:https://www.linkedin.com/today/post/article/20140313143802-6714-the-big-issue-marketers-don-t-want-to-discuss-but-they-must

How Consumer Privacy Concerns Should Guide Marketing Strategies

Privacy is the No. 1 concern of Internet users.  And with all the heaps of data marketers can now collect on consumers online and in social media, those concerns are only going to increase.

ARTICLE HIGHLIGHTS:

  • Many large companies have privacy officers who set rules for managing data and audit compliance with those rules.
  • Hiring a privacy officer is usually seen by senior managers as a compliance cost.
  • The privacy officer could establish a framework of consumer privacy controls as a key marketing and strategic variable.

To get a better understanding on what role consumer privacy concerns should play in brand marketing strategies, CMO.com did some research. We found that privacy isn't something brands are willing to talk about, as both agency and brand execs we reached out to declined to comment. So we scoured the Web and found that companies need to be open and honest with consumers on how they're using data to inform marketing and why targeted advertising is better than the “spray and pray" approach. Here’s what we dug up:

According to MIT Sloan Management Review:
Many large companies have privacy officers who set rules for managing data and audit compliance with those rules; however, hiring a privacy officer is usually seen by senior managers as a compliance cost. A company that respects the relationship with its customers, on the other hand, would think of the privacy officer as a strategic role and would establish a framework of consumer privacy controls as a key marketing and strategic variable.

There are three strategies that companies can follow to transform touch points around privacy into a positive customer experience:

  • Develop user-centric privacy controls to give customers control.
  • Avoid multiple intrusions.
  • Prevent human intrusion by using automation wherever possible.

According to Entrepreneur.com:
Think protecting customer privacy is only an issue for business giants like Facebook and Sony? Think again.

Many small companies have lost customer trust or even been sued over privacy mishaps in recent years. And they're likely to face more problems as digital data files grow in size and importance to modern business.

You are legally, if not morally, obligated to treat your customers' private personal data respectfully and fairly. But protecting customer privacy need not be a drain on your company. Done wisely, it can create customer goodwill and even lift sales, while reducing business and legal risks.

Such a strategy involves more than securing a network from hackers and posting a boilerplate privacy policy. Here are seven steps that can help you build a comprehensive and effective privacy plan

Michael Peterman, founder and CEO of VeraData, told DM News:
As a country, as a world, as legislators and consumers, how do we balance Big Data and consumer privacy? How do we protect individual privacy, while taking advantage of the economic benefits of micro-targeting? Considering the raging debates in Washington, it is prudent that we, as an industry, make clear to the world how and what data is being used by commercial entities. It is critical that we, as a society, understand how our information is being used so that we can make informed decisions, have intelligent debates, and ultimately vote in such a way that maintains and enhances our economic strength.

According to Business2Community.com:
As marketers we know that demographic information is beneficial to consumers because it helps to target our messaging and ultimately provide a better experience for consumers. In fact 90 percent of execssurveyed said they’re dependent on consumer data for their marketing efforts. Brands don’t want to waste consumers’ time by sending them irrelevant emails. For example, a single woman doesn’t want to receive emails about diaper sales on Amazon.com but a stay-at-home mother would be eager to receive those emails.

There is also an element of convenience to information storing. When a brand asks to store personal information online, like a credit card number, it’s easier for consumers who frequently shop on a site. Although there are many positives of collecting consumer information for targeted advertisements and email marketing, there are a few ways that brands can ensure that consumers’ personal information is safe. Here are a few tips for brands to consider with their privacy strategy:

  1. Let your consumers know you value their privacy and publicize what you are doing to keep their information secure. Prominently display BBB-certification and other security logos on your Web site and dedicate an entire page to your privacy policy. This will give your Web site additional credibility and build trust in your brand.
  2. Let consumers know when their information is being disclosed. If you plan to use their information for one reason or another, tell consumers at the time you’re asking for the information. For example, have a sign at the cash register, a note at the bottom of a receipt, or a pop-up window on your site before they check out. Also, offer the opportunity for consumers to decline to provide certain information or opt out of the database.
  3. Tell them why you’re asking for their information, and be honest. Many brands ask for consumer’s date of birth to send birthday coupons. Some brands need consumers’ zip code and license number for their return policy because they use return tracking services, like The Retail Equation (TRE) to fight crime. Best Buy, for example, includes their disclosure information and an explanation of how TRE works on their Web site.
About Giselle Abramovich

Giselle Abramovich is senior & strategic editor at CMO.com. Previously she wrote for outlets including Direct Marketing News, Mobile Marketer, Mobile Commerce Daily, Luxury Daily, and Digiday. Reach her at abramovi@adobe.com, or follow her on Twitter@GAbramovich.

Source:http://www.cmo.com/articles/2013/9/4/privacy_CWTK.html