Ah, another day, another marketing misstep in the unfortunate context of crisis communications. Actually, "misstep" is far too lighthearted a term to use for many companies in the age of social communications.
Consider the news headlines devoted to the Sony data breach of 100 million user records. That seemingly never-ending saga was yet another reminder of the increased demand for open, honest, rapid, and ongoing communication in today's networked world. Failure to meet that demand will result in lost brand equity and lost customers.
A crisis can serve as a stage to show the world that your company is either unorganized and uncaring or responsible and human, as noted in what is still considered the best-practices playbook of effective crisis communication—Johnson & Johnson's handling of the Tylenol poisoning of 1982. Clearly, Sony should have taken a page from that playbook.
In this day and age, the chances are pretty good that your company will need some form of crisis communication, particularly in the areas of information security and data loss. Information is the new currency of the 21st century. All your data—from intellectual property, to customer databases, patient records, and even facility blueprints—are extremely valuable. Today, a severe data loss could end up being a going-out-of-business event for many companies.
In that regard, your marketing and communications teams play two important roles.
First, know that Marketing often serves as the Achilles' heel of information security. With the increasing advent of cloud-based marketing automation, your customer data is now sent to third-party companies that may not be as security conscious as you. (Note the recent breaches suffered by major brands due to their marketing vendors' security missteps.)
Also, be aware that your marketing department often handles some of the most sensitive documents in your company—from RFPs to blueprints, and of course, your customer and prospect database. Conversely, the marketing team is often the least likely to be trained in any form of IT security preparedness or processes.
Second, note that in the event of a major data loss (especially if you are a larger organization), powerful interests will come into play and could harm your company more than the breach itself. In a data breach, legal and corporate communications teams will often be at odds with each other.
Legal seeks to stop all communications and reduce liability, whereas communications teams become overly aggressive and spin all communications in the most positive light they can. Those differing points of view often cause delay, confusion, and the wrong messaging at the worst possible time. Case in point: Sony waited a full six days before alerting PlayStation users of the data breach, which infuriated not only customers but also legislators.
When managing a data breach crisis, here are seven general guidelines to follow.
1. Expect to have a crisis event
It's less about if you will have a crisis and more about when. That is especially true in today's networking age, where a 100% secure networking environment does not exist.
Chances are good that you will have a data loss or breach event, especially if you're in a targeted industry such as consumer, hi-tech, banking, aerospace and defense, or healthcare.
2. Have a predefined crisis communication plan in place
A predefined plan, at a minimum, should be a framework of how to handle a breach and should offer guiding principles for communications.
For companies that have identified some specific risks, such as stolen customer data, the plan can have scenarios charted out. For example, what would the plan be if credit card numbers were stolen?
Your plan should also list the members of the crisis team, the guiding principles of your communication (open, honest, factual, etc.), the designated spokespeople, and even templated communications reviewed by Legal.
Review the plan from time to time to ensure it stays fresh in everyone's mind.
3. Acknowledge the problem immediately
Take a lesson from the Sony saga. A crisis event is not the time to circle the wagons. According to Jonathan Bernstein, president of Southern California-based Bernstein Crisis Management and author of Keeping the Wolves at Bay: A Media Training Manual, "You can't hide anymore."
"If a crisis occurs in Biloxi, Miss., or Muskoka, Iowa, if it appears in the local paper, it is an international situation instantly because of the Internet," BusinessWeek quotes him as saying.
Thus, any communication professional who thinks they can just shove an incident under the rug is grossly mistaken. The longer you wait to disclose the issue and its potential risks to customers or stakeholders, the worse off you will be.
4. Become the news-breaker
Companies lose when they do not become the news-breakers, instead remaining the newsmakers. The crisis is yours, so use that to turn the tide and become the irrefutable source of accurate and timely news.
5. Use social media
As we learned from the recent uprising in Egypt, Twitter is often the first place news breaks. As Fast Company blogger (and principal analyst at Altimeter Group) Brian Solis recently wrote, "News no longer breaks, it tweets."
Understand that in the era of socially enabled communication, you're no longer in control. Nevertheless, the new (and more powerful) tools you have will help you turn the tide from being the newsmaker to becoming the news-breaker.
6. Be accountable
Once the news about the crisis is out in the open, people will automatically begin to question who is at fault. The answer (respectfully, from one communication professional to another) is you, a member of the marketing and communications team.
I know, I know, you probably had absolutely nothing to do with it. It may have been Bob in IT, evil hackers, or some third party you worked with two years ago, but your customers could care less.
Still, you are ultimately responsible for communicating to not only your customers but also the general public. Own the issue and identify what you're doing to resolve it. If you don't know the full details, say so, but offer a timeline and series of steps you'll take to shed light on what you're going to do next.
Be honest, open, and transparent. The public and your customers will respect you more, and your brand will face less scrutiny in the end. The moment that doubt of transparency or honesty has been seeded, you will be behind the eight ball in managing the crisis.
7. Make it right
And by "make it right" I don't mean offer those affected (customers or whoever else) free movies or other ridiculously inadequate consolation prizes, as we have seen happen far too often. Even if you can't make it right instantly, as Sony was clearly unable to do considering that the PlayStation Network was down for weeks, tell those affected what you will do. And do it quickly. You need to figure out what the best resolution will be ahead of time, even if it is impossible to resolve the problem right away.
Sony did attempt to make amends by offering US users a year of free identity-theft protection, backed by a $1 million insurance policy, along with a package of free games and movie services as compensation. However, Sony waited weeks to present users with what ended up being little more than a peace offering.
Once again, we can learn from Johnson & Johnson here because it recalled everything, and did so immediately. The first Tylenol-related death was discovered on September 29, and on October 5, Johnson & Johnson recalled all 31 million bottles of Tylenol in circulation in the US. The company moved at Internet speed even though the Internet wasn't around at the time.
* * *
Those seven steps, though a good start, are by no means comprehensive. Every brand and situation is different. Regardless, think ahead and expect the unexpected! Sony is a multibillion dollar corporation, so I'd venture a bold guess that it actually has a crisis-communication plan stored away, collecting virtual dust on a server somewhere. And I'm certain that remaining silent was not part of it.
Don't just have a plan. Make sure your team knows the plan and can implement it when necessary. After all, you don't want to become another "lesson learned" in the marketing annals.
Security breaches will happen; they always do. When you do fall victim to one, you'll want your response to become a shining example of "how it's done."
(Image courtesy of Bigstock, Man Looking at Computer.)