Crisis management: Firms losing victim status in data hacks

There was sympathy for Sony when it was hacked in 2014 but, closer to home, Kiwis were outraged when sensitive ACC claims information was leaked by human error. Photo / Bloomberg

COMMENT:

Data breaches have emerged as a major concern for companies, the Government and the public.

Examples of high profile crises resulting from data breaches include ACC accidentally sending sensitive claim information to unauthorised individuals, and a hacker attack on Sony Pictures in the United States that experts believe involved the North Korean Government.

The causes for data breaches vary, and they range from company negligence to hackers infiltrating an organisation's information systems. Whether the cause of a data breach involves the company or external entities has an impact on the reaction of the public to the crisis.

An example of a highly publicised data breach that involved ACC in 2012. Sensitive claims information was sent by ACC via email attachment to unauthorised individuals on a number of occasions. This was caused by human error, and the public was justifiably outraged. People wondered why there weren't any safeguards at ACC to prevent this from happening.

It is also worth noting that employees can also cause data breaches intentionally. For example, employees have accessed confidential tax and medical records of celebrities in the US.

Victims of the unauthorised release of medical records include Michael Jackson, Whitney Houston and Britney Spears. As a result of highly publicised celebrity data breaches involving medical records, the State of California passed a patient privacy law in 2008.

When data breaches are caused by human error, organisations should consider automating the process. For example, if ACC had automated the distribution of claims information, this would have greatly reduced the likelihood of a data breach. A manual system involving email attachments is prone to human error, which is much less likely to occur in an automated system with safeguards.

In the case of employees improperly accessing sensitive information, an organisation should take decisive action against the employees, including dismissal if necessary. With the proliferation of electronic medical record systems, it has become easier to track employees who have accessed medical information without authorisation.

Disciplinary action also sends a strong signal to other employees that inappropriate behaviour is not tolerated at the organisation.

In addition to data breaches caused by actions of employees in an organisation, a data breach can also occur because of unlawful actions taken by external parties.

For example, a hacker attack at Sony Pictures resulted in the disclosure of sensitive internal documents. These documents included unflattering comments made by Sony executives about movie stars.

The media reported extensively on the revelations that resulted from the hacker attack, which was very embarrassing for Sony Pictures. However, unlike the data breach at ACC, there was sympathy for Sony's predicament.

Law enforcement officials in the US described the hacker attack on Sony as unprecedented in its sophistication. The US Department of Justice also issued formal charges related to the Sony Hacker Attack in 2018 against a North Korean citizen. The charges alleged that the North Korean was working on behalf of that country's intelligence agency.

It is worth noting that the case of Sony Pictures should be viewed as an exception, and companies should not expect that the public would be sympathetic to a company's predicament during a hacker attack.

With hacker attacks becoming more common in today's digital environment, the public are increasingly asking whether the hacker attack could have been prevented. Did the company invest sufficient resources in safeguarding sensitive data from a hacker attack?

Over the years, the narrative in the media has shifted from the company as a victim, to the company failing to prevent the hacker attack from occurring in the first place.

What should a company do if it is a victim of a hacker attack? The first priority is to protect its employees and customers. The company needs to inform them of what happened, and help its stakeholders minimise the harm caused by the security breach.

For example, if the hackers have stolen sensitive credit card information, the company should advise its stakeholders to cancel their credit cards as soon as possible. Any delay in notification will cause more harm to the company's stakeholders.

Governments have also become involved in protecting the public from data breaches, and in a number of countries there is legislation requiring notification of such events. For example, in Australia there is mandatory data breach notification and organisations are required to notify affected individuals if there is a risk of harm.

In New Zealand, Parliament is discussing changes to the privacy act, however currently there is no mandatory requirement for data breach notification.

In addition to protecting its stakeholders, a company needs to convince the public that it is taking decisive action to reduce the likelihood that another data breach will happen again in the future.

Hiring a credible independent third party to investigate the cause of a breach is a good first step. However, it is also important for the company to implement the recommendations of the investigation. Customers will not be forgiving if another data breach occurs as a result of ignoring the findings from an investigation.

Daniel Laufer, PhD, MBA is an Associate Professor of Marketing at Victoria University of Wellington, and an expert in Crisis Management. He has previously provided commentary on best practices in Crisis Management for the Wall Street Journal in the USA.