Data breaches are among the most dangerous corporate crises facing the world’s largest companies, particularly those that are consumer-facing. For starters, there may be lessons learned circulating after each new breach, but it’s hard to have an agreed-upon cyber response playbook when a breach can manifest in myriad ways. There may be the unique element of an outside malicious actor, potential follow-on attacks and/or the difficulty in ascertaining the breach scope. Not to mention the means by which corporate cybersecurity measures are breached are often fundamentally foreign to many executives.
All that is to say that we — both corporate leaders and communications professionals — are still trying to figure this issue out. But with each new breach that is reported, we learn something new about how to respond, and more importantly, how not to respond. Both of which bring us to the newest crisis facing Uber.
This article is featured in O'Dwyer's Jan. '18 PR Buyer's Guide & Crisis Communications Magazine
Uber’s admission that data from 57 million customers had been compromised in 2016 is not a staggering crisis in and of itself. While all data breaches are likely to have a deleterious effect on a company’s reputation, the scale of the breach pales in comparison to much larger hacks at Equifax, eBay, Heartland Payment System and, of course, Yahoo. What is shocking, however, is the news that Uber paid the hackers $100,000 to keep the breach quiet: from regulators, lawmakers and the public. This is, as far as we can tell, unprecedented, potentially illegal and, like a virus, has the potential to infect the reputation of some of the most powerful people at the world’s most valuable private technology company. It was a staggering mistake from both reputation management and communications perspectives.
Following the discovery of the cover-up, it was reported that former CEO and current Board member Travis Kalanick was informed of the breach in November 2016. If Kalanick informed his fellow board members and if they acquiesced to the cover-up, their reputations have been compromised to some degree. If he didn’t, his continued presence on the board will continue to inflict harm on Uber’s reputation.
New CEO Dara Khosrowshahi has made repairing Uber’s tarnished reputation one of his primary responsibilities since Kalanick stepped down. Khosrowshahi has acknowledged to employees that “there is a high cost to a bad reputation” and that “it really matters what people think of us.” His response to the cover-up disclosure reflected this; he didn’t make excuses but apologized and promised that Uber would learn from its mistakes. Uber’s next move remains to be seen, but investigations have been launched in the US, EU, UK, Australia, Singapore and the Philippines. Class action lawsuits are being filed. Whatever the eventual cost, it’s likely to exceed $100,000.
The manner in which Uber mishandled its data breach may be unique, but the fact that it failed to properly handle the crisis is not. The truth is that it’s difficult to find examples of businesses that follow proper crisis communications procedures when they are hacked. That said, we’ve seen enough to have a good idea of what not to do. It’s a bit like the early Obama foreign policy: don’t do stupid stuff.
First, acknowledge the breach quickly and publicly. This is crisis communications 101 in nearly every other circumstance, yet we continue to see companies that fail to publicly disclose when they’ve been hacked. Beyond not paying $100,000 to keep things quiet — it’s clear this is not a good idea — companies should avoid burying the news in an SEC filing or other methods of obfuscation. Rather, they should follow Khosrowshahi’s example — apologize and clearly outline the information they have. Make that information readily available to impacted parties — Q&A documents, microsites and other digital content can be a real asset. Companies should appear action-oriented, proactive and transparent. Yahoo provides a stark example of what happens when a company fails at this. During negotiations with Verizon, the company announced that some 500 million user accounts had been compromised in 2014. Subsequently, it came out that an earlier breach in 2013 had exposed a billion accounts. That number was revised to include all three billion user accounts, and Verizon’s purchase price was reduced by an estimated $350 million.
Second, take steps to improve your security, and communicate them clearly to the public. Data breaches are fundamentally difficult for most consumers to understand, and uncertainty breeds fear. There’s no erasing the harm of a cybersecurity failure, but companies can help preserve their longer-term credibility with a plan to prevent future intrusions, and a communications strategy to match. JP Morgan Chase provides an example for other companies to follow. The bank was hacked in 2014, exposing 76 million customers’ contact information. Shortly thereafter, CEO Jamie Dimon pledged to double JP Morgan’s $250 million cybersecurity budget. People may not understand the nuances of code writing that safeguard their personal information, but everyone understands that half a billion dollars is a meaningful commitment. That answers a fundamental question that companies need to be able to answer: what were you doing before that allowed you to be compromised, and what are you doing now to make sure it doesn’t happen again?
Finally, don’t pay off criminals. Reading that sentence out loud should be all the convincing any executive needs.
Elizabeth Cholis is a managing director in the strategic communications segment at FTI Consulting and a member of FTI’s Crisis & Issues Management practice.