Data Breach Response: Managing Reputational Risk

Financial institutions have become increasingly sophisticated about managing data breach risk and related regulatory and fraud risk. Reputational risk can be more difficult to quantify and remediate and is a critical part of any data breach response and recovery planning.

The post-breach environment tends to be extremely chaotic even under the best of circumstances and often involves multiple, and sometimes conflicting, efforts to contain the breach and identify and secure information and related systems, all at a crisis pace and with extremely stressed resources. Damage to reputation is not covered by cyberinsurance or addressed by contractual indemnities but can often result in significant and long-term adverse effects on the value of a breached institution.

Consumers have a heightened awareness of the identity theft and fraud loss risks resulting from a breach of their sensitive financial information. Media scrutiny is at an all-time high. Recent large breaches show that consumers are very attuned to a breached company’s actions – or inactions – in response to a breach. Even when notice is legally compliant, complaints about undue delay in notifying consumers and concerns that notices may appear inconsistent or incomplete all directly undermine the institution’s response and resiliency efforts and threaten the goodwill and reputation of the institution.

As a practitioner, my experience has been that breached financial institutions care deeply that their employees and customers be protected and highly prioritize ease and thoroughness of remediation. There is a tension, however, between early notice and complete notice: between signaling the alarm and reassuring potentially affected consumers that the breach has been contained and remediation is possible. A premature and incomplete early notice, followed by a series of corrective notices, can be both insufficient to empower the consumer to protect him or herself and panicinducing. There is also a tension between early notice and any approvals that may be required by legal, compliance, cyber or other insurance carriers, or delays requested by regulators or law enforcement.

In any event, insufficient, delayed or inconsistent notices can further undermine customer confidence in a breached financial institution. You are either on their side, a victim also of the crime, or an uncaring institution looking out for itself or, worse, an untruthful or incompetent actor that caused the breach or failed to prevent it.

It is critical that all external-facing messaging, whether to media, customers, regulators, or law enforcement be consistent, uniform and pro-customer. The content of the information shared with each may vary but the message must be the same.

In any data breach event, there are internal and external team members that may have competing, or inconsistent objectives that are top-of-mind. It is critical that there be structured coordination among the internal stakeholders (usually legal, compliance, IT, marketing, line of business management, and executive) and external stakeholders (typically outside counsel, forensic investigators or other external IS, remediation vendors, PR, and insurers). There should be a strict hierarchy of input from the various team members that is escalated to an executive of the institution who, together with legal and outside counsel, decides what the unified message should be – to regulators, law enforcement, employees, customers and the media. All internal and externally-facing communications should be accurate and consistent.

The customer who calls customer service may not receive the exact same message that legal provides to the regulators or that PR releases to the media, but the message should be the same. Centralization and consistency of messaging – whether evolving or not – is critical to reassuring customers that you are acting as quickly and decisively as possible to protect them and their information. Notice, remediation, and ongoing customer support should be on-point and consistent. In this way, the breached institution may maintain and repair its reputation commensurate with its remediation and resiliency efforts while at the same time protecting its employees and customers.

Republished with permission. This article first appeared in the September/October 2017 issue of Board Briefs.