Intro
No matter how careful you are with your data governance and security, you’ll never be completely bulletproof. All businesses that deal with data need to have a data crisis plan in place. Hopefully, you’ll never have to use it. But, if your organisation suffers a hack, loss of data function, or data breach, then a crisis management plan really proves its worth.
Data breaches are ranked as one of the top three worst events for a brand’s reputation. They damage a business more than a scandal involving the CEO. Research shows that, on average, share prices fall 5% in the event of a breach. 31% of customers state that they will leave an organisation that suffers a data leak. One way to mitigate this is through effective data crisis management.
Creating your data crisis management plan
To get started:
- Identify potential scenarios
- The risk of each occurring
- The consequences of it happening
These will differ from organisation to organisation. A bank for high-net-worth individuals would class a leak of financial data and personally identifiable information as the most damaging. Whereas an e-commerce store might suffer more from a shutdown of its checkout system because of poor data governance.
Areas to look at include:
- Whether your organisation collects personal data, such as names, contact information and addresses.
- If your company communicates confidential information via email, and if so, how secure your email provider and passwords are.
- The security of your website.
- If you collect credit card details and if you follow all regulatory requirements and best practice with this.
- Whether your employees bring in their own devices (I.E. smartphones and tablets) to use at work and how secure these are. A bring-your-own-device policy that details security and use protocol is a good idea in this case.
Rank each scenario
Rank the scenarios based on how likely they are to occur, and how damaging each could be. Of course, with good data governance in place, the likelihood of a bank leaking personally identifiable information should be close to impossible. But it would still appear high on the list due to the huge damage that would be done to its bottom line and reputation (just ask TSB).
Develop a communications plan
For each data crisis scenario identified, devise a communications plan This should include the type of messages that will need to be sent out, to whom, and via what channel. Returning to the banking example, it would want to communicate with any affected customers quickly. An email sent to impacted customers would be ideal, along with a message on its social media. This would likely be followed up with an official statement to the press and/or a TV interview with the bank’s spokesperson.
Spokespeople need to be identified in your organisation. They will usually be senior and will have had some kind of media training.
There should be clear lines of communication in a data crisis. Everyone must know what to do (and what not to do) and who has responsibility for what. All employees must know who to report to in the event of a data breach or similar, and when to escalate an issue. This should also include when someone is out of office. Knowing this information beforehand will really help an employee if your data centre has a breach at 1 am on a Saturday.
Know which stakeholders need to be notified
You should carry out a stakeholder analysis to find out the parties that need to be notified immediately. This includes any customers affected (as we’ve already mentioned), spokespeople, people who will fix the situation, the PR or communications team, a crisis communications team, shareholders, the board and CEO, and a data body like the ICO.
Ensure accountability
Any crisis plan must have accountability built in. Each section must be adequately staffed, if not internally then by third-parties. Everyone must know who deals with what.
Test it continuously
It must be rehearsed regularly. This way, if the worst were to happen, then the plan can be carried out like clockwork. Regular testing also allows you to adjust the plan if needed and to test its effectiveness.
If a data crisis does occur, then the plan and everyone associated with it will be ready to spring into action. Once the crisis is over, it’s important to have a debrief session. Go through what worked and what could’ve been done better. Prepare yourself for another crisis, because lightning doesn’t always strike once.
Communication is key
Communication with customers throughout a crisis is vital. In the event of a data leak, customers will want to feel reassured that your organisation is working quickly to protect their data. If a technical fault occurs because of a problem with your data, then let people know that you’re resolving it quickly and normal service will return as soon as possible. However, don’t communicate that the problem is solved and think that your job is done unless you are 100% sure that it has. TSB continuously stated that its IT issues were resolved, only for angry customers to feedback that it hadn’t, forcing the bank’s chief exec to backtrack.
It’s critical that crisis communications run smoothly if your organisation is to recover from a data problem. When issues or data leaks occur, there is a huge loss of trust and reputation. In the handling of their IT crisis, TSB did more damage to their reputation by failing to resolve the problem quickly, and by stating that it had been sorted when it hadn’t.
How to nail crisis management
On the other hand, when hacked in 2013, social sharing platform Buffer gave a textbook example of how a data crisis should be managed. On discovering the hack, which posted spam from social media accounts linked up to Buffer, it quickly sprung into action. Buffer’s CEO immediately posted an apology and update to social media, explaining what they were doing to solve the problem. Buffer sent a message to their community and support groups, a blog explaining the problem was posted and users on the Buffer website received instant notifications. This level of care and concern communicated to its customers ensured that Buffer’s reputation remained untarnished. In fact, many took to social media to praise its crisis response.
Prevent it from happening
Prevention is the best cure, so ensure your data security and governance practices are gold-standard. When ranking your data, take note of any high-risk, high-value information that needs to be more secure. Flag this to your tech team immediately. Securing your data based on its value is a good use of resources. It allows you to concentrate on critical data sets like personally identifiable information. Security is everyone’s responsibility, not just the CIO or IT team’s. Make sure you communicate this across your organisation and that all employees understand what is expected of them and what is at stake.
Use data as your solution
If you suffer from a data crisis, you might not expect data to also provide you with a solution, but it can help significantly. Analysing data will tell you who to contact first, and through which channels. If you have operational issues, such as a checkout shutdown across stores, data can help identify the stores that have the highest turnover and should be prioritised.
Don’t stop using data
Data breaches, hacks, or IT meltdowns are a common hazard of the modern-day. For many organisations, it’s not a matter of ‘if’ an issue is going to occur, more like ‘when’. By preparing a crisis management plan and rehearsing it, you offer your organisation the best defence against the damage a data crisis can wreak.
Don’t let the risk of a crisis put you off using data. There is so much value that data can offer your business. In fact, you’ll do yourself more disservice if you avoid data entirely than if you use it with a few precautions.
For more insights into your data management and governance, make sure to download our Data Management white paper.
