Yahoo's huge data breach underscores challenges of cybersecurity PR crisis

InfluenceChronicles.com -- With cybercrime against U.S. corporations increasing beyond already epidemic levels, its victims remain largely ambivalent about when, why and how to communicate about it.   

According to the advocacy group Privacy Rights Clearinghouse, U.S. companies have been hit with more than 2,600 significant network hacks and breaches since 2010.  Yet the Wall Street Journal reports that in that same period, barely one percent of all publicly traded corporations disclosed any cyber-crimes in their Securities Exchange Commission filings – an apparently glaring contradiction in this era of hyper-transparency. 
 
For some of these companies it’s also a precarious position.  Consider the potential fallout should a company be forced by events or law to disclose a significant data breach, which in turn unveils previous incidents that were kept hidden from investors and customers.
 
So why are so few companies not communicating beyond what's required by current disclosure regulations?  Here’s one reason: As a reputation risk management problem, a network hack or data breach constitutes a uniquely complex corporate PR crisis:
​

• A large breach can suddenly transform an unknown B-to-B enterprise into a public-facing company, subject to clamoring criticism of news media, pundits and social media.  How a previously unknown company behaved prior to, during and after a cyber crisis might be the public's first and last impression about it, good or bad.
  ​
• Based on its scale or origin, government could escalate a company’s cyber breach as a matter of national security or some other agenda, like when the Obama administration unilaterally retaliated against North Korea for hacking Sony’s email servers.
  ​
• A company’s cyber crisis could continue over months or even years if hackers use the tactic of incrementally leaking embarrassing or controversial emails, records, photos, business plans, abysmal karaoke performances and other digital content snatched during the network break-in.  (And worse if the material was taken in an earlier unreported hack.)
  ​
• Preparedness planning must take into account the fact that the next big cyber threat to a company’s good name is simultaneously everywhere and nowhere.  It’s the training that some people aren’t taking seriously, the mega-destructive code that hackers haven’t written yet, the hidden data breach that the connected vendor hasn’t discovered, the unhappy employee with too much access to highly sensitive, confidential information. 

​
It’s no wonder that senior execs are more concerned with managing cyber threats than with almost any other risk to their companies’ reputations.

And it’s why many tried-and-true rules for crisis communications no longer apply.

---