A guest post from PR and communications expert Deborah Folka – on how to deal with particularly difficult external communications issues…
While there are many times you seek attention from your community, the media and the greater public, there are also times when you just don’t want to talk about it. When your organization has a situation that is sensitive or potentially damaging to your reputation if it comes under public and media scrutiny, those are the times you just want to emulate an ostrich and stick your head in the sand.
But you are not an ostrich. You are a responsible adult and you have an obligation to look after your organization even in the most challenging circumstances. So you do what you have to do: prepare for the worst and hope for the best. This is exactly what a professional services client of mine did last year when they discovered the computers of a few employees were hacked and persons from Nigeria downloaded email addresses and attachments, some of which contained sensitive identity, financial and personal information. The firm did not become aware of the security breach for many hours and in that time, the hackers penetrated their system quite thoroughly.
When the firm’s IT manager informed the partners, they sought legal, public relations and forensic IT advice. Though the hack involved some client files, it didn’t affect all of the firm’s clients. However, some of the clients involved were high-profile individuals and in addition to the basic hack scandal story, their name-recognition would add just the spice to the story to get the media salivating.
Working with the firm’s partners and lawyer, we created a list of stakeholders and set about determining the obligation of communication owed to each. The clients affected by the breach were obviously the top priority, with the firm’s employees and all other clients of the firm a close second layer. We decided it was important to be ready if the media caught wind of it, but there was certainly no obligation to publicly announce the situation.
Next up was drafting key messages to assure the firm’s clients the protection of their privacy was paramount and steps were being taken to determine how the breach occurred, as well as how the firm plans to prevent it happening again. Once we gathered the pertinent information and knew what we wanted to say, we set about saying it via the most direct and appropriate avenues: calls (with follow-up emails) to affected clients and all staff from the senior partner, with all partners prepared to take calls and questions. The senior partner was coached to respond to media queries should they come and media monitoring – not normally done by this firm – was put in place. We also had a website posting and news release ready in case those tools were needed.
Fortunately for this client, the media never got wind of the hack, the affected clients trusted the firm to sort it out and none of them felt the urge to vent on social media (thank goodness). The firm’s staff members were supportive and got quickly organized around new computer procedures, new training and being more pro-active about privacy matters. With the help of outside legal counsel, a report was provided to the Office of the Information and Privacy Commissioner, satisfying the regulator that the firm had done all the right things for their clients and was taking steps to improve its processes where necessary.
The firm also took away other lessons: have a crisis management plan and review it, along with the potential for other challenges, annually at the partners’ retreat. They also decided to invest in regular media and interview training for their leadership team.
It would be easy to say this client ‘dodged a bullet’ and it’s certainly true their reputation could have taken a real hit. But it didn’t, in part, because they did to all the right things. They took action swiftly, demonstrated leadership, told everyone who needed to know, prepared to be publicly accountable and did everything they could to ensure it didn’t happen again.
Deborah Folka, APR, is an independent communications consultant based in Vancouver. She can be reached at firstname.lastname@example.org.