Please ensure Javascript is enabled for purposes of website accessibility

Securing goodwill Good post-cyberattack protocol vital

Quick, smart action can be key for businesses cleaning up after a cyberattack.

When an online retailer operating in New Jersey launched an immediate investigation it informed affected customers swiftly, said Rich Tauberman, executive vice president at East Rutherford-based public relations agency MWWPR. The company also offered credit-monitoring services and made public disclosures as required.

“We also prepared media statements,” Tauberman noted. “Because this wasn’t a high-profile organization, there wasn’t a lot of interest in this particular incident. Still, it’s always a good idea to be prepared.”

Post-hack tips

– Be prepared: Besides beefing up your tech systems, put an incident response team in place before you get hacked.

– Be transparent: You can’t hide news about a cyberattack, so get out in front with the story – but make sure of your facts.

– Be careful: Run communications by public relations and legal specialists before acknowledging a breach externally.

– Be personal: Your CEO can’t personally contact every customer, but calling key customers could let them know you care and help to keep their business.

An average of eight new cyberthreats emerged every second in the fourth quarter of 2017, double the number of threats in the third quarter, according to a recent report by cybersecurity company McAfee. That’s why it’s more important than ever for companies to not only bolster their online defenses, but also plan for a legal defense and a public relations campaign if they’re hacked.

“I advise clients that the best way to prepare for a crisis is to establish goodwill with business partners, customers and the general community,” said Tauberman. “If you have great relationships, people understand that stuff happens. But you have to be transparent and move quickly to reassure folks that you’re addressing the issue and taking steps to try to prevent it from happening again. Unless you totally screw up, customers are likely to give you the benefit of the doubt. But you need to have a response plan in place before an incident occurs.”

Instead of trying to ignore the problem — unfeasible in today’s hyper-connected environment — prompt, factual communication will do more to burnish a company’s reputation. “Also, consider how you’ll inform your customers,” Tauberman said.

Email is an efficient way to communicate the message, but personal phone calls to key customers is also a good idea.

“Some companies may also want to get their CEO out there, through videos, press conferences or other channels to reassure people that the company is taking the incident seriously,” Tauberman said.

Because just about all companies are subject to a cyberattack, every business should have an incident response plan in place with appropriate spokespeople.

Said Tauberman: “Technology companies have long been aware of the threat. But today, even mom-and-pop convenience stores or restaurants are becoming aware. Cyberattacks are no longer a novel thing.”

A company that’s suffered a cyber-breach also has certain legal obligations.

Said Robert Egan, a partner at the law firm Archer: “If personal information — like bank, credit card or other data — about New Jersey residents was accessed, there’s an obligation to report the incident to the individuals and others, including state authorities. But it can get even more complicated, since generally the obligation to report also depends on where the data subject lives. So a breached company may have to comply with different disclosure and other requirements from multiple states. Federal requirements may also be a factor.”

The process is necessary for other reasons as well, he added.

“Your image will be better if you act quickly to get to the bottom of situation, bring aboard legal counsel, forensic and other experts, and don’t try to run from the situation,” Egan said. “If you can face up to it and accurately portray your company as an innocent victim, you’ll likely have an easier time with the public and with regulators.”

Any company, especially one with personally identifiable information such as social security numbers, bank and other data, should have an incident response plan in place before a breach, he counseled.

“In addition to lawyers and tech specialists, you want your marketing and internal and external public relations people on board,” Egan said. “It’s not just about stopping the bleeding, but also about getting your message out.”