Angela Carmichael is senior vice-president, senior partner and general manager of FleishmanHillard in Toronto. Imran Ahmad is a partner at Miller Thomson LLP and specializes in the area of cybersecurity law.
Our shift to a digital society has seen the emergence of a new kind of crime: stealing data and attacking company networks, whether for financial gain, to send a political message, or sometimes simply to prove a point. Not surprisingly, this harsh reality of our digital economy has made cybersecurity a significant priority for organizations, senior management teams and corporate boards across Canada and the world.
The financial costs to defend against cybercrimes are not insignificant: According to Cybersecurity Ventures, it is expected that companies will spend $1-trillion (U.S.) cumulatively over the next five years on cybersecurity products and services. However, spending to defend against the crime doesn't address the reputational damage a data breach can have on an organization, or the longer-term revenue implications that result if in fact a data breach occurs.
A January, 2017, Leger survey commissioned by corporate reputation consultancy FleishmanHillard showed that nine in 10 Canadians agree that if an organization or business were to have lost, been a victim of theft or mistakenly shared personal information, it would lose significant trust and credibility with Canadian consumers. Moreover, 82 per cent of Canadians say that if this were to happen, they would take their business to a competitor.
So, while it's true that Canadian companies are increasingly preparing for the financial, legal and technical implications of a breach, many continue to overlook developing a communications strategy, which is critical in the early hours and days of a breach when it comes to protecting reputation over the short and long term.
From a privacy and legal perspective, requirements are about to change significantly for companies in Canada. In the very near term, the federal government will be rolling out regulations that implement key provisions to the Digital Privacy Act that relate to breach reporting, notification and record keeping. In other words, corporate Canada will be required to communicate much more frequently with the Office of the Privacy Commissioner on breaches, which will in turn have the right to request and review newly required corporate security-breach logs at any time. Companies will also be required to alert affected individuals in a timely manner where the data breach could result in "significant harm," as well as any organizations, such as credit bureaus, that can help reduce risks for individuals.
What this reinforces is that data incidents are not legal, IT or communications problems exclusively. They affect the entire business and require a multidisciplinary team comprising senior leadership, IT, operations, communications, legal, HR and managers responsible for stakeholder audiences such as investors, customers and business partners.
Ideally, the team should work together before a breach occurs to develop a cyberresponse plan comprising a communications strategy that works in conjunction with an IT-response plan. Collaboration avoids the one-sided approach often seen when organizations work in silos resulting in a disjointed, inconsistent and delayed response to issues or crises.
In thinking through threats to the business, the team should identify organization- and industry-specific risk factors. For instance, a retailer will tend to focus on breaches related to payments and customer information, while a public utility will focus on an interruption of service. Beyond the immediate impact of a breach, the team should consider the longer-term consequences of, for example, the loss of intellectual property, employee or customer records.
Once the risks are established, it is imperative to align how the organization will communicate with stakeholders. Timing should take into account IT security and forensics timeframes, as well as determining broad thresholds for notification to the Commissioner and affected individuals. This will reduce the need for real time decision making in an actual crisis, as well as inappropriate responses.
Finally, ensure that your organization's first attempt at managing a cybersecurity crisis is not during the real thing. Practising in a controlled setting can identify flaws and gaps in the process because what makes sense in the plan does not always work in practise, and personalities can change in the pressure cooker.
Just as there is no fail-safe method to preventing a cyberincident, there is no foolproof way to managing an organization's reputation in the midst of one. However, recognizing the importance and value of preparation more often than not goes a long way toward protecting the reputation that your organization has worked long and hard to build.