Data breach and Reputation Management

Reputation management and data breach are two phrases you don’t want to see together. They are like oil and water. However, sometimes you are going to be in a situation where you are going to have to stir and stir and try to mix them together.

It is important to understand that trust and reputation management are tightly connected, and when an incident like data breach occurs it is a true test of the reputation management approach taken and the bond you have created with your customers over time.

Researches show that 69% of people think the importance of privacy and security practices preserves trust in the companies.

What does this mean for your company in terms of numbers and facts? Let’s find out!

What are the reputational damages of a data breach for a company?

So, you have suffered a data breach, what now?

You can expect everything, from bad press to your customers turning against you on social media and loss of clients. This is a downward spiral into the loss of brand value, loss of trust, and eventually financial losses.

71% of CMOs believe the biggest cost of a security incident is the loss of brand value.
Source: The impact of data breaches on reputation and share value

Data breach will not only affect the level of trust with your current customer base but also create a way you are publicly perceived by potential customers, it will also make an impact on your business operations, affect your brand value and investor appeal, not to mention the costs of a data breach.

Most recent research by FTI Consulting from March 2020, revealed that companies expect a 9% drop in their global annual turnover as a result of a data privacy crisis.

“Respondents explained this drop would manifest through “very negative” impacts on organizational reputation, investor confidence, business operations and external relationships. Based upon the respondent organizations’ current average annual turnover cost of $830 million, these effects are estimated to cost $79 million in losses.”

loss of globaly turnover due to data breachHow you decide to deal with the breach will in a lot of ways determine what will happen to your brand and your company. However, the situation is not hopeless. There is no better way to explain this than on real-life examples:

A few years back, Uber found out that hackers had accessed personal data of 57 million riders and drivers. Instead of coming forward with the situation, they decided to pay hackers and cover it up.

Obviously, the cover-up did not work, and by not informing customers and drivers that their personal information was compromised, they have directly violated data protection law.

General Data Protection Regulation (GDPR) dictates that data breaches must be reported to the supervisory authority within 72 hours of being identified (unless an exception applies).

After everything went public, Uber’s CSO was fired, and Uber paid $148 million settlement. Their already shaky reputation was put to the test when the #DeleteUber campaign was launched by customers who were encouraging others to stop using the platform. It all added up, and data breach did not help.

There was a lot of negative publicity at that time with Uber and the competitors saw the opportunity to challenge Uber, who was thus far the undisputed market leader.

This example shows how a series of bad decisions made by upper-level management affected the company over a long period, resulting in financial penalties, reputation damages, and loss of customers.

On the other hand, Canva suffered cyber-attack in 2019 but how they handled it was a great example of how data breach should be handled. They immediately locked down Canva, stopped the attack as it was happening, and notified their users with full disclosure of what happened and how their data was affected.

The open approach they took and quick reaction when the incident happened, helped them control the damage done to their brand and reassure their customers the data breach is their highest priority, and that they are on top of a situation.

Steps you should take in the case of a data breach

When a company faces challenges imposed by a devastating data breach, it can be incredibly difficult to make all the right moves. Top priorities should be:

evaluating the situation
✅ minimizing further damages
✅ notifying data protection authority (if you are obligated by the law) and individuals affected

It may not seem that way immediately, but in the long run, the protection of personal information of your customers should always be a priority.

The way the company handles the situation will affect the way the consumers will perceive the company in the future.

What is the best approach?
1. Clear and transparent communication

If you have suffered a data breach after you contacted your customers and notified them of the situation. Issue a public statement via your website immediately. Disclose the situation, explain what happened, which personal data were affected, and how you are handling the breach.

Open your communication channels and enable customers to contact you via chat, phone number, or e-mail, and ask additional questions.

This way you will have control over your online reputation and discourage false information from circulating through the Internet.

2. Focus on prevention

Your company should create a carefully constructed data security and data privacy policies and detect the most probable and destructive scenarios to be able to prevent it before they occur.

Don’t be disheartened by what happened, learn from your mistakes. Do this even after the breach occurred. This is a point where CMO, IT, and a DPO are forced to collaborate, even if this is not a usual practice in your company.

Most businesses collect data to refine their marketing strategy or to improve customer experience and should be responsible for it. The responsibility of the company is to do whatever possible to assure that personal information of their customers is secured.

With the GDPR, a wave of legislative around the globe is making customers aware that their personal data is valuable, and most importantly, very exposed. How companies handle collected data will be more and more important and it will become the core of any reputation strategy.

Marriott is one of the fine examples of what happens if you disregard this. Two years after they suffered their first breach, a new incident transpired affecting 5.2 million individuals (you can read more about it here).

Either they have some serious case of bad luck, or they just haven’t learned their lesson, but it is safe to say this is not helping their efforts to salvage their reputation caused by the first breach.

What happens with a company’s online reputation after a data breach?

The Edelman Trust Barometer research from 2019 shows that 65% (their highest historical levels) of consumers trust online search engines the most when researching on business. This means they will consider it a reliable source of information.

Make peace with the fact that your past reputation will follow you, but you can control what happens later.

Although there are artificial ways to affect your online reputation, there’s no way to create a false impression with any lasting power effectively, so steer clear of that strategy.

Customers today have a very effective platform to speak their minds and leave their reviews. Instead of trying to control their behavior, you should try navigating your business decisions to what customers want – trust and transparency.

Be patient, do not try to manipulate your social media outlets, focus on your long-term strategy, show how you changed by displaying your improvements in data security.

Reputation management: How data breach affects customer relationship?

Reputation management Salesforce-trends-in-customer-trust
A data breach is one of the three most common and fastest ways to undermine the company’s reputation (the first two being poor customer service and environmental incident).

Consumers place a significant amount of trust in the companies they share personal data with, and they do so because 71% of them believe those companies accept an obligation to control access to it. However, according to the Ponemon Institute study, less than half of CMOs and IT practitioners are taking responsibility for it.

51% of consumers said that in the past two years, they had been notified by a company or government agency because their personal information was lost or stolen as a result of one or more data breaches.

Nearly two-thirds reported that the incidents caused them to lose trust in the breached organization. As a result, almost a third took steps to terminate their relationship with the organization (The impact of data breaches on reputation & share value study).

What is the cost of a Data Breach?

The Ponemon Institute study stated the global average total cost of a data breach in 2019 was $3.92 M (approximately €3.62 M). Trends show this number increases yearly from $3.86 million in 2018 and $3.62 million in 2017.

The average cost for each lost or stolen record containing sensitive and confidential information also increased from $148 in 2018 to $150 in 2019.

reputation management ponemone-institute-research-on-cost of a data breach

There is also a relationship between how quickly an organization can identify and contain data breach incidents and financial consequences.

The average time to identify data breach by the company was 197 days in 2018 and 279 days in 2019.

Good reputation management: How to (re)connect with customers and build trust?

On the other hand, when your company is perceived as having a good reputation, it can result in a number of positive things, lessening the risk and accelerating profit of the company.

Good reputation management also helps create happy, loyal customers, who in return, become brand advocates spreading the word about your company. According to Salesforce research from 2018, there is only one way to get there: transparency and control.

Customers have stated that they would be more willing to trust companies that gave control over the collected information, are transparent in the way they use that information, have a strong privacy policy or ask for explicit consent.

For a company that operates on a large scale, it is of the utmost importance to operationalize data protection by keeping the data safe and implementing data Privacy processes. Also, to be fully transparent it should provide its customers with a self-service privacy portal where they can manage their privacy preferences and get information about how the Company is processing their data.

Proving that you are compliant with data protection laws will be a new form of good PR.

In the recent research “State of Connected Customer” by Salesforce some incredible insights were given about what would make customers increase the level of trust about companies that process their personal information. Frankly, the answers given were quite reasonable:

Reputation management-transparency-about-customers-data-and-trust

•92% of customers stated that they would be more willing to trust a company with their personal information if they would have control over what information is collected about them (Data Privacy Manager has a built-in portal for managing customer’s privacy settings, a simple solution that will give customers complete control over their personal data.)
•91% would appreciate transparency about how their information is used
•91% said that they would like to see a commitment by the company to protect their personal information
•90% would like if a company would have a strong privacy policy
•88% would like a company to ask for their explicit consent to use their information (which is legally required by the GDPR anyway)
•88% of customers do not appreciate sharing their personal information with third parties without permission
•86% would be more willing to share their information if you would explain how using their personal information will improve their customer experience 
•78% would trust you with their personal information if you can fully personalize their customer experience 

Those are some really high percentage, and having a strong privacy policy or ask for explicit consent is not really an impossible task to achieve.

What can you do to make your customers trust you more?

In 2018, customer expectations hit all-time highs (according to data-driven research on more than 6700 customers), they know their rights and are not afraid to exercise them.

Keeping a record of their activities, and requests become a complicated process, and that is why automatization is the key.

As the company progresses even further with customer acquisition, data collection and market expansion, automatization of the processes will become unavoidable.

Protecting customer data, fulfilling their rights, and building trust are three interconnected things. There is a quick checklist on how to start that journey

• create a privacy policy and stick to it
• explain to the customer why you are asking for their data, how it will be used and who is going to process it
• respect the deadlines for resolving customer requests and enable customers to exercise their right that GDPR (or any legislative) has given them
• show them how the collected data is going to provide them with useful information or a better customer experience
• protect their data by any means available and adjust the level of data security to the sensitivity of their data

Get 14-days Free Data Privacy Manager Trial