Claims Assistant at HNI
Privacy breaches were big news in 2014. Notable examples include Target, the United States Postal Service, Home Depot, and Sony — and these were just the ones that made headlines. Thousands of small to mid-sized business suffered cyber breaches as well without making the national news.
The thought of compromised customer data — and the impact of having to communicate this to customers and vendors — is enough to make business leaders break into a cold sweat. But these are not the only stakeholders who stand to lose big from a privacy breach.
A breach through your employees' eyes
When employees learn that their own data may have been compromised, it gets personal — they’re worried about their savings, their retirement funds, their kids. A privacy breach has the potential to significantly impact employees, and failure to recognize this (and communicate accordingly) can be a huge threat to morale.
You don't want your team learning about a data breach or how to handle it through the grapevine. This is something that must be addressed head on, and quickly.
Employees will lose confidence in leaders who fail to give frequent and transparent updates about the breach status and recovery efforts. The damages to your employer brand can run deep for both existing employees and prospective new teammates.
Best practices for communicating with employees during a privacy breach
Every situation is unique. Should your company fall victim to a cyber breach, you will want to work closely with your risk advisor, legal counsel, and communications experts to determine the best course of action.
The following are some general best practices to keep in mind to protect employee morale and put a damper on rampant speculation:
1.) Communicate, communicate, communicate.
Get out ahead of the news. Don’t let media outlets and blogs own the story of your company and frame the message to your employees. Early and frequent communication shows your employees and customers that you are working to control the situation, and not passively sitting by.
2.) Partner with a security firm ASAP.
Depending on the type of breach that occurs, you may have a legal obligation to offer identity theft protection or credit monitoring resources. If this is the case, offer employees lots of reminders and tips on how to take advantage of privacy security experts you’ve hired.
Even if you aren't legally required to foot the bill for such a service, it may be worth making the investment for your employees to give them additional peace of mind. At the very least, share information on reputable credit monitoring resources that they can pursue on their own.
3.) Gives employees time to deal with this.
Encourage employees to take time "on the clock" to shore up their private accounts, passwords, and credit data, and make someone available to answer any questions. By giving them the time and resources to take care of their personal accounts, you are removing a huge source of stress.
This shows you are taking care of your people first and creates trust in you as the employer. Removing this worry brings you one step closer to to focusing on getting your business back on track.
4.) Publicize your recovery plan.
Let people know that there is a plan to fix the problem and which people or departments are on it. Do they need to change anything in their workflow? Will there be any interruption in regular business operations? Sharing basic information like this builds confidence. People don't need to know the minute details, but they want to know you've got it handled.
Also make it clear who will be handling media inquiries, reminding your team that only certain personnel are authorized to officially comment on behalf of the company.
Going through a data breach can be a stressful event, and some individuals may need to get their concerns off their chest. Provide an outlet for employees to share feedback, questions, or complaints -- whether that's direct access to the individual running point of the recovery or even something as simple as a general email inbox for comments.
Don't penalize anyone for an emotional first reaction. Providing an outlet for discussion lowers the risk of employees "taking this outside" and tarnishing your brand with negative comments to new outlets or on social media.
When a vendor or partner is the victim of a breach
In this blog, we talked about handling cyber breaches of your company's data. You may also encounter situations where a vendor or partner that you work with is responsible for the breach.
In these situations, your employees are likely still suffering from some of the same anxieties. Reinforcing or offering additional guidance beyond what the vendor is communicating can help alleviate some of this concern and help employees manage their risk.
Unfortunately cyber risk will only continue to grow. But like other risks, with careful planning and some thought we can prepare for their worst and be empowered to handle them with our best.