Updated: Yahoo's apparent under-reporting of mass data breach underscores challenges of cybersecurity PR crisis
Updated: Government, media and public reaction to Yahoo's humongous data breach could do for cyber-privacy what The Jungle did for the meat-packing industry.
The issue of unreported cybercrime is at the center of Yahoo's Big Breach Bumble, in which personal information of some 500 million users were stolen and found for sale on the dark web:
-- Did the company knowingly not disclose the breach in July as it negotiated the $4.8 billion sale of its core business to Verizon Communications?
-- If the company didn't disclose, was it correct in treating the breach as a non-material event?
-- If the company did not know, how exactly did a company like Yahoo miss that hackers were grabbing up a half-billion user information files over the last two years? (And any helpful cybersecurity tips for the rest of us?)
-- How do any of these scenarios change the valuation for Verizon sale? Will this derail the deal altogether? (It would be the first time a cyberattack had such an impact on the market.)
-- How much of Yahoo's reputation damage and other fallout will transfer to Verizon if the acquisition is consummated?
Yahoo's BBB will likely have another impact on every business or nonprofit that keeps personal information on their servers. People in Congress are again calling for a notification standard requiring consumers to be told about a data breach "in a more timely manner," a phrase that means nothing until lobbyists and activists representing a dozen different agendas fight it out. But there will be some form of federal regulation, where none exists currently.
Read on below about the four considerations that make cybercrime a uniquely complicated corporate PR crisis:
Bad News Handbook -- With cybercrime against U.S. corporations increasing beyond already epidemic levels, its victims remain largely ambivalent about when, why and how to communicate about it.
According to the advocacy group Privacy Rights Clearinghouse, U.S. companies have been hit with more than 2,600 significant network hacks and breaches since 2010. Yet the Wall Street Journal reports that in that same period, barely one percent of all publicly traded corporations disclosed any cyber-crimes in their Securities Exchange Commission filings – an apparently glaring contradiction in this era of hyper-transparency.
For some of these companies it’s also a precarious position. Consider the potential fallout should a company be forced by events or law to disclose a significant data breach, which in turn unveils previous incidents that were kept hidden from investors and customers.
So why are so few companies not communicating beyond what's required by current disclosure regulations? Here’s one reason: As a reputation risk management problem, a network hack or data breach constitutes a uniquely complex corporate PR crisis:
It’s no wonder that senior execs are more concerned with managing cyber threats than with almost any other risk to their companies’ reputations.
And it’s why many tried-and-true rules for crisis communications no longer apply.
(CorpComm Blog) How'd you like to slog off to work every morning knowing that your customers don’t trust you? That sums up the life of local journalists, say two recent reports. Here’s why it matters: Because it will likely skew how your town's news media cover your company’s next PR crisis.
A recent Gallup Poll found that barely three out of every ten Americans trust what they see in the news. And on CareerCast’s 2016 list of the 200 worst jobs, newspaper reporter ranked dead last, with broadcasters taking bragging rights for being only the nation’s third-worst career. The annual list takes into account working environment, income, growth potential and stress factors.
Of all which means that too many local reporters are overworked, underpaid, unappreciated and isolated in newsrooms that have neither time nor money to let them truly engage and understand the arenas they cover – especially the business world. This can lead to a fatalistic, cynical view of the world that steers even talented reporters down the path of least resistance, characterized by shallow, clichéd conflict stories that provide inaccurate or no context, and that give equal weight to any “contrasting” source, no matter its lack of credibility.
For companies responding to complex crisis situations, this dog-tired and formulaic approach to journalism can result in undeserved damage to their hard-earned reputation.
While it certainly doesn’t exist in every market, it’s important to anticipate this predisposition to fast-food local journalism, especially if your company’s crisis communications strategy is to speak with reporters. The best way to prepare -- aside from knowing your facts, messaging and how to handle interviews -- is to deliver as much concrete, articulate information as possible. Dish it up on the proverbial silver platter in easily digestible portions.
A seasoned and solid journalist will appreciate the directness, which will help ensure an accurate story. And for the over-worked and disconnected reporter, the closer you approach “add water and stir,” the better the chances the resulting story will accurately represent your company's position. Quite often it’ll be included verbatim.
What’s happened to local journalism – and especially local business reporting – is tragic. But the unvarnished reality is that today’s lean media environment, with its ratings pressures and “pay by the click” compensation, forces many local reporters into being glorified stenographer-provocateurs looking for edgy or emotional angles.
Be aware and ready.
(CorpComm Blog) -- When Facebook deleted the famous “Napalm girl” photograph because it violated policy on showing nude children, the Norwegian newspaper editor who posted it wagged a rather sanctimonious finger at CEO Mark Zuckerberg.
"The media have a responsibility to consider publication [of stories] in every single case," wrote Espen Egil Hansen, editor at Norway’s largest newspaper, in an open letter to Mr. Zuckerberg. "This right and duty, which all editors in the world have, should not be undermined by algorithms encoded in your office in California."
The historically iconic photograph was allowed after a loud show of protest and support from Facebook members around the world -- a response that underscores the collective power of social media communities to police themselves on standards. The outcome of this dispute was as it should be.
However. In reporting the reversed deletion, the world's news media -- some behaving like this was another Scopes trial -- failed to emphasize that the Norwegian newspaper was using Facebook first and foremost as a no-cost marketing tool. “You are offering us a great channel for distributing our content,” Hansen wrote. “We want to reach out with our journalism.” (So do other business concerns besides newspapers.)
But then Mr. Hansen told “dear Mark” that “Even though I am editor-in-chief of Norway’s largest newspaper… you are restricting my room for exercising my editorial responsibility.”
Post me confused.
I read through Facebook’s entire investor prospectus. And nowhere is there anything about the company being beholden to anyone’s “exercising of editorial responsibility.”
Especially to a commercial newspaper using Facebook for free publicity and promotion.
Over time, the clunky synergy between social and news media will either achieve mutually-beneficial equilibrium or reshape itself completely, like home pages and other content aggregation movements of the internet age. Mr. Zuckerberg sees this as making Facebook the "perfect personalized newspaper for everyone in the world."
Even if that's where things are headed, we should be cautious about holding Facebook and other corporate-owned social media services accountable for not behaving like the news journalism companies they aren’t.
Delivering the milk doesn’t make you a cow.
(CorpComm Blog) -- Five takes on EpiPen, virtual reality, surrender ceremonies, Roger’s fall and how Donald Trump’s campaign is like one very long Twitter feed. I don't know, but that is what people are telling me, it’s so beautiful. Really really something. And it’s going to be amazing, believe me.
(CorpCommBlog.com) -- Atlantic Monthly laments with us Baby Boomers the demise of advertising jingles, which have mostly died out since Pepsi's 1984 production with Michael Jackson established today's joined-at-the-hip marketing relationship between brands and popular music.
But how many of those campaigns can claim to have millions of loyal fans who even 43 years later know every word to Oscar Mayer’s iconic My Bologna Has A First Name? Sing it, citizen consumers:
My bologna has a first name
My bologna has a second name
I love to eat it everyday
And if you ask me what I'll saaaaaaay
Cuz Oscar Mayer has a way with B-o-l-o-g-n-a
(BadNewsHandbook.com) -- Brand and reputation. It’s a critical distinction that drives a company’s ability to minimize the impact of its next public relations crisis.
Brand is how your company talks to the world.
Reputation is how the world hears your company.
Some people say reputation and brand mean the same thing. But that’s like saying the pitch and the swing are the same because they’re part of the same baseball game.
Closely related, but very different.
Reputation risk management is a paradox. On one hand the company's reputation is its most important asset. On the other hand it is the asset most vulnerable to damage by conditions largely out of the company’s control.
A brand is a promise, but more than just deliverables. It’s what the brand’s owner needs people and institutions that matter to believe to be true.
Reputation, on the other hand, is what stakeholders and influencers actually believe. It's a mix of personal experiences and influences, all weighed against motivations that drive every decision to trust a brand, buy a product or support an idea:
The wider the gap between a company's brand and reputation, the more potentially damaging a controversy or crisis.
But the more a corporate and brand reputation jive with what stakeholders want to believe, the stronger the company’s ability to navigate and even prosper through bad markets, complex public issues and crisis events. It’s no wonder that companies with solidly good reputations have market caps of 30 to 70 percent more than their book value.
Illustration courtesy Huffington Post.
(CorpCommBlog.com) -- National Public Radio has joined the growing number of online media outlets that no longer show public comments at the bottom of news stories.
In case you’re new to this WWW thing: Many comment sections have been commandeered by small groups of mostly anonymous "trolls" who shout down and ridicule anyone with opposing opinions, often with incredibly violent imagery and hate speech. And don't get us started about punctuation.
Many news sites held on – and still do -- to comment sections in part because they create space to sell ads, without the nuisance of paying journalists for content. These days, however, social media platforms offer more civil, cost-efficient ways to facilitate public dialogue around sponsors’ interests. The result is that media sites are dropping comment sections as a well-intentioned but failed, high-maintenance vestige of a simpler Internet time.
But not all. One ticked-off supporter of comment sections is Breitbart News, the hyper-populist, anti-lefty media site whose chairman is now running Donald Trump’s presidential campaign.
Hostile partisan vitriol is what outlets like Breitbart and the anti-righty Daily Kos are selling, and they have plenty of followers (including trolls). But these aren’t products that attract mainstream advertisers and promotions. It’s commerce, not comments, that keep most online media in business.
Time Magazine underscores the problem with its cover story, “How Trolls are ruining the Internet.” Some 80% of the 93-year-old magazine's own writers said they don't cover certain topics because they fear the online response. Sometimes the attackers will track down and harass a writer's spouse, parents, even children.
Despite America’s chaotically contradictory Internet culture, it would seem that the bulk of news comment sections are heading toward extinction as new ways to engage the virtual public square become more advanced. What the Internet mob does as a result is a whole other consideration.
(CorpCommBlog.com) -- A new survey says three-fourths of corporate data theft is caused by “insider negligence” -- a nice way of saying “companies that for some reason still let employees do internal email while connected to a free wi-fi service.”
As many companies and politicians learned the hard way, hackers love stealing emails in part because of the whacky fun that ensues when made public. And cybercrooks are becoming steadily more proficient in how they leak e-plunder to mess with the victim’s reputation and operations for as long as possible.
Here's the kicker: More than 60 percent of those surveyed said they have access to company data that they shouldn’t see. "Too many employees have too much access to the company’s most valuable information," said the lead researcher. “Beyond what they need to do their jobs."
Worse still, a third of those companies don’t monitor any of the email their people are sending and receiving, including file attachments.
Change is coming. As the cybercrime epidemic continues, companies and organizations will begin compartmentalizing more information to the old “need to know” standard. How much that mitigates cyber-related reputation risk… We’ll see.
There’s more at The Wall Street Journal Risk Report.
Illustration | My Security World blog: Eight things to stop doing immediately
Field notes on reputation risk management and strategic communications. The official blog of SilversJacobson, LLC.
Bad News Handbook Blog
What every executive should know about crisis, controversy and other PR nightmares.
By Steven Silvers