Reputation management of a data breach

24/07/2014 07:20

Data security breaches almost always give rise to a risk of reputational damage to the company responsible for controlling and processing the data.  From the moment the breach occurs, the media may start making inquiries and/or publish or broadcast allegations about the breach. 

Also, there are likely to be worried or angry customers whose data has or may have been disclosed without their consent.  They may publicise the matter in social media and/or inform journalists, as well as the regulator.

LaptopWhether the breach results from a third party supplier accidently leaving a laptop on a train or from sophisticated hackers breaking through firewalls and encryption systems, it can lead to distrust of the company.  In turn, this can result in lost sales and/or a dip in share price. 

Prior to a breach

Within a very short time after the breach, a journalist may be telephoning demanding to know what has happened and who is to blame.  It is very important to be prepared for this.  A company should plan in advance who will be part of its data security breach team because it will need to react very fast to try to preserve its hard-earned reputation.  This should preferably include an expert in reputation management and PR, as well as regulatory and litigation experts. 

On the breach occurring

The following are recommended:

  1. a journalist could contact anyone in your organisation.  Make sure that all employees (or suppliers) channel any inquiries to the relevant team dealing with the breach;
  2. journalists may suggest that your company is to blame and/or ask what happened.  In the beginning, you may not actually know what has happened and many rumours and accusations may be circulating.  Try to demonstrate that the company is taking the matter very seriously and is fully investigating it.  Be cautious about jumping to conclusions and blaming others before the facts are known;
  3. it may be that you were not actually to blame and a third party supplier caused the loss/breach.  However, if you are the data controller for any affected personal data, you may be deemed to be responsible for the security of the data, even if you did not cause the breach.  Furthermore, defaming a third party can expose you and/or the company to risk of a defamation action.  Two of the main defences to a defamation claim are (i) truth and (ii) honest opinion based on true facts, therefore. be sure of the facts before trying to blame others;
  4. if a journalist contacts the company, this is the company's chance to correct any false assertions or at least to get the company's side of the story across.  In England, it is very difficult to obtain a pre-publication interim injunction to stop someone saying something defamatory.  Therefore, it is better to communicate the key message to the journalist.  A 'no comment' response may be interpreted as an admission of guilt; and
  5. be aware that anything you say to customers and/or journalists may be used by the regulator, the company's insurers and/or in litigation against the company.

Material already published by the media

NewspaperIf the media has already published false and defamatory allegations about the company, it may be possible to obtain a correction and/or apology by deploying defamation law and/or the relevant press regulations.  It is generally easier for a media organisation to amend or add a statement to an online piece than to publish something in the next hard copy edition.  Moreover, online content is arguably more important to correct or balance, since it is searchable and can be available forever. 

In England, the media may have a defence to a defamation claim even if the allegations are unproven or false, namely qualified privilege.  This applies to stories on a matter of public interest which are the result of responsible journalism (the "Reynolds" defence).  Once the provisions of the Defamation Act 2013 come into force (likely by the end of 2013), companies will find it more difficult to rely on defamation law for two reasons.  First, under the 2013 Act, a statement is not defamatory of a company trading for profit unless its publication is likely to cause the company "serious financial loss".  This is likely to be difficult to prove in court.  Second, there will be a defence for publication on a matter of public interest where the publisher reasonably believed that publishing the statement was in the public interest.  It seems probable that this defence will be similar to the "Reynolds" defence which it replaces.  However, is currently untested and may be more flexible.

Allegations in social media

Social media buttonsCustomers and other members of the public or even competitors may comment on the breach in social media e.g. on Twitter and Facebook and/or in the comments sections of news sites.  People can be very quick to blame a company alleged of a data leak.  It is, therefore, important also to quickly communicate key messages on social media.  However, it can be often difficult and risky to engage in discussions on social media, especially before the facts are known.  The main things are to show that the company is doing everything it can to find out the facts, limit any damage and correct any misinformation.