Government, media and public reaction to Yahoo's massive data breach could do for cyber-privacy what The Jungle did for the meat-packing industry.
Congresspeople are again calling for a notification standard requiring consumers to be told about a data breach "in a more timely manner," a phrase that means nothing until lobbyists and activists representing a dozen different agendas fight it out. But there will be some form of federal regulation, where none exists currently.
Read on below about the four considerations that make cybercrime a uniquely complicated corporate PR crisis:
Bad News Handbook -- With cybercrime against U.S. corporations increasing beyond already epidemic levels, its victims remain largely ambivalent about when, why and how to communicate about it.
According to the advocacy group Privacy Rights Clearinghouse, U.S. companies have been hit with more than 2,600 significant network hacks and breaches since 2010. Yet the Wall Street Journal reports that in that same period, barely one percent of all publicly traded corporations disclosed any cyber-crimes in their Securities Exchange Commission filings – an apparently glaring contradiction in this era of hyper-transparency.
For some of these companies it’s also a precarious position. Consider the potential fallout should a company be forced by events or law to disclose a significant data breach, which in turn unveils previous incidents that were kept hidden from investors and customers.
So why are so few companies not communicating beyond what's required by current disclosure regulations? Here’s one reason: As a reputation risk management problem, a network hack or data breach constitutes a uniquely complex corporate PR crisis:
It’s no wonder that senior execs are more concerned with managing cyber threats than with almost any other risk to their companies’ reputations.
And it’s why many tried-and-true rules for crisis communications no longer apply.
(CorpCommBlog.com) -- A new survey says three-fourths of corporate data theft is caused by “insider negligence” -- a nice way of saying “companies that for some reason still let employees do internal email while connected to a free wi-fi service.”
As many companies and politicians learned the hard way, hackers love stealing emails in part because of the whacky fun that ensues when made public. And cybercrooks are becoming steadily more proficient in how they leak e-plunder to mess with the victim’s reputation and operations for as long as possible.
Here's the kicker: More than 60 percent of those surveyed said they have access to company data that they shouldn’t see. "Too many employees have too much access to the company’s most valuable information," said the lead researcher. “Beyond what they need to do their jobs."
Worse still, a third of those companies don’t monitor any of the email their people are sending and receiving, including file attachments.
Change is coming. As the cybercrime epidemic continues, companies and organizations will begin compartmentalizing more information to the old “need to know” standard. How much that mitigates cyber-related reputation risk… We’ll see.
There’s more at The Wall Street Journal Risk Report.
Illustration | My Security World blog: Eight things to stop doing immediately
Field notes on reputation risk management and strategic communications. The official blog of SilversJacobson, LLC.
Bad News Handbook
By Steven Silvers
What every executive should know about PR crisis, controversy and reputation damage control.