Brand reputation can make or break your business, and consequently a great deal of your time, effort and resources are spent on directly or indirectly maintaining that reputation.
They say no news travels like bad news, and when the trust placed in your products or services is gone, so too are your clients.
Often, incidents that can potentially damage your reputation are caused by things that other people did, things that you didn’t do, or other situations that are outside your usual focus. These unintended or un-anticipated events are stressful to the business. You seemingly have little control, and if you do not have pre-prepared response plans, it is easy to make a bad situation worse.
Burying your head in the sand in the hopes that the situation may go away is no longer an option as of February 2017, when the Australian Government passed a bill to require mandatory reporting of computer security breaches that involve personal information. It’s not really ground-breaking news, other countries have had similar rules for some time now, and Australia's national privacy principal legislation has been around long enough that most businesses are aware of the need to protect their customer’s information.
The bill provides exclusions for medical records already covered by similar legislation, also small businesses can breathe easy for the time being. Disappointingly, the bill excludes government agencies, who should be leading by example in this area.
Unauthorised access to information that could result in “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm” may contain a legal loophole if your pockets are deep enough, otherwise expect to be required to report all incidents where ANY personal information is involved.
When it comes into force, probably later this year, incidents must be reported to the Australian Privacy Commissioner, which will no doubt put your carelessness on pubic record. The Commissioner is most likely going to require you to notify the involved persons, informing them that you were careless with their personal information. This carelessness could result in their personal details falling into the hands of criminals who will most likely spam them, scam them and steal their identity.
Obviously you should consult with your legal and marketing advisers to attempt to minimise the potentially severe reputation damage that this kind of incident can inflict on your brand, and to make sure that you do not do anything to make a bad situation worse.
What can I do to prevent this from happening?
There are two defences against this situation.
- Good governance and controls, which you should already be doing, especially if you have activity that comes under regulatory supervision such as AHPRA, PCI-DSS, ASIC, APRA, etc. Identify sensitive information, manage it's life cycle, flows and access, and delete or de-identify it as soon as you can. Data is like any asset; if it is not managed correctly it can become a liability.
- Preemptively build good customer relationships. Studies have shown that it takes at least 4 positively received messages to balance a single negative message. Reputation damage control is going to be much easier if you already have a history of positive and well-received communication. If the first time you have contacted your client in several years is to inform them of bad news, you can't imagine that it is going to be well received.
Vividus can help you to develop communication strategies to stay connected with your customers, to build trust and likability. If you need help with incident response communication, and reputation management, get in touch with Vividus today before a bad situation becomes worse.