Data Privacy Day in The Time of COVID-19
Over the past few years Data Privacy Day has brought a growing celebration on January 28 for organizations to share best practices on how to protect information. This year feels very different as more pressing issues of life and death have thrust data privacy into the back of our consciousness. Awareness of these issues, especially corporate decision-making, must not be ignored because the mass shift to virtual work has made these issues more important than ever.
The COVID-19 pandemic sped up a slowly growing trend of working virtually into the only means of keeping many organizations running. Most were entirely unprepared for this massive shift and hackers were poised to strike.
There were hundreds of thousands of phishing attacks on distracted employees in 2020, some of which resulted in the credentials allowing deeper network access. Where we saw this hurt most was in the staggering growth in ransomware attacks. These attacks jeopardize the reputation and solvency of many organizations. More importantly the data stolen can make it impossible for customers and employees to maintain or regain their privacy.
FleishmanHillard has done a significant amount of work on behalf of clients globally in preparing for, or responding to, ransomware attacks. Our work has substantially grown in the past year and we have been able to keep pace with demand for experienced counselors by utilizing our network of over 100 A.R.C.™ certified crisis managers.
As an example, FleishmanHillard recently worked with an international technology company which had been subject to a ransomware attack. We worked with the security team to understand the problem and develop a timetable for resolution. This partnership helped us develop a three-tiered communication plan based on: 1) the current situation, 2) a plan for when systems were back up and 3) the completion of the investigation. Messaging and communications protocols were developed and shared internally for use with different audiences including customers, employees, partners, investors, media and regulators. We were also embedded with the incident response team to help identify and resolve escalations to protect their reputation.
The communications tactics used here helped the company survive three weeks of service disruptions. Our experience, in combination with our engagement, helped the client identify and quickly resolve potential flashpoints.
Hackers permanently lock systems, steal data, disrupt operations, extort hundreds of millions of dollars to fund criminal causes and ruin the reputations of big corporations and small nonprofits alike. We have also seen recent issues in which hackers not only threaten to withhold business-critical functions from companies that refuse to pay a ransom, but to publish sensitive client or customer data. We counsel clients preparing for, or actively under, attack based on five principles:
- Reputational Priorities – Maintain credibility by being clear, consistent and accurate in the information you share internally and externally, and do not engage in speculation.
- To Pay or Not to Pay – Organizations need a plan or policy before an event to help them navigate this difficult decision.
- Call the Experts – Decisions and communications at the early stages of an attack can have significant implications further down the line; good counsel is needed from the start.
- Mind the Litigation Risk – While notifications are primarily a concern for the legal team, it is important that company leadership align early in the process on what is acceptable to include.
- Control the Narrative – Communications planning should include a timeline of when to deploy certain messages to specific audiences.
These are incredibly important issues to focus on because the trend of virtual work will continue past the end of the pandemic. Broader access to the internet and innovations like 5G will further enable this trend and continue to expand the surface area for hackers. Organizations will need to continue to make significant investments in security to keep up with this changing landscape and should consider following guidance laid out by the National Cybersecurity Alliance. Taking these steps can help organizations exceed stakeholder expectations in data privacy and protect its reputation.