Data breaches are becoming increasingly inevitable, driven in part by human vulnerabilities like falling prey to phishing emails and not updating software, according to Andrew Ryder, strategy director of Edelman North Asia, speaking on a panel at Wednesday’s CampaignComms conference in Hong Kong.
The number of data breach reports reached a record high of 129 in Hong Kong in 2018, up 22% from the previous year, and 80% higher than in 2014, according to the Office of the Privacy Commissioner for Personal Data (PCPD). Ryder said these numbers are tiny compared to the number of breaches happening in the West, and asserted that it's all but inevitable that many companies will suffer breaches at some point.
With this in mind, Ryder and William Brocklehurst, corporate affairs director of Bupa, who spoke in a separate presentation, offered advice on how brands should respond to data breaches.
“The [data] breach itself isn't what will kill you, it’s how bad your response is to the breach,” Ryder said.
Admitting fault and apologising is fundamental to damage control, Ryder said.
“The biggest overwhelming scene we see [among companies] is victim behaviour: ‘Oh god, this is terrible, how could this happen to us’. We can only do a good job if we can make a client understand that they should get into their mind ‘this is our fault,’” he added.
However, he added it’s best if the company can tell customers exactly what data has been taken prior to going public.
“Although it might cause a delay in going public, it’s more compelling than just to say ‘we know some information has been taken but don’t know what it is’, as that will stir more fear and less trust in you as a business,” he said.
Brocklehurst shared the insurance and healthcare group’s experience of dealing with a specific incident. In summer 2017, a rogue employee took private data of 108,000 policy records from Bupa Global, which impacted 547,000 customers. The data, although not containing customers’ medical and financial information, was still very personal and worried customers.
After a vigorous investigation Bupa made a public statement acknowledging the issue, when it apologised for what happened, and reassured customers on how the company was dealing with the issue, said Brocklehurst. He stressed that even though legal advice may be to avoid any statement of fault, “customers want to hear apology.”
In terms of effective response, Brocklehurst said it’s important to keep the customer at the centre.
“The priority for how we react is people first, reputation second and operation third,” he said. “Sometimes that causes some challenges, but if you act with integrity to protect the reputation, real operation should follow with that.”
Another challenge is figuring out which department in the company owns the customer data, so you can contact only the customers who have been impacted by the breach, Brocklehurst said.
“The top question is who really owns the customer: sales, marketing, after-sales services.” he said. “[You’ll be] hamstrung by systems you’ve got holding data records.”
He said companies, multinationals and agencies should make preparations like data mapping and figuring out what communications channels they have in anticipation of data breaches.
The effectiveness and consistency of communications in a data-breach incident can be the deciding factor between how well or how badly an issue is perceived to have been managed, he concluded.
Furthermore, Ryder added that the strength of a brand, its products and services will be the deciding factor on how quickly customers forgive a data breach and return.
“If you’ve got a product like Google which is pretty much intertwined with your daily life—for example with Gmail, maps and Youtube—you’ll probably go back and use the product quite quickly,” he surmised.