For Good Crisis Communications Response, Practice is a Must

By Steve Johnson

Almost two years ago, a financial tech/data client decided it was time to take a long look at its crisis response capabilities. They reset their operational response, putting together a comprehensive binder of specific action steps. They called in SJConnects to help develop messaging, provide communications structure, and train staff for various forms of response. The framework was set to be successful for the “if” turning into “when.”

What they are experiencing now is that although plans are critical, practice is an absolute must. The operations and communications functions need to work together, and they need to be practiced together – out loud and in real time. If your organization doesn’t build the muscle memory for crisis response, your plan is just words on a page.

We are living in an era where major data breaches are coning faster than consumers can track. Since 2014, Target, Marriot, Apple, Mastercard, eBay and Home Depot have experienced major hacks. These breaches are not just costly in terms of consumer trust. They are costly in actual money. British Airways was just recently fined 175MM pounds for their lack of control in a 2018 data breach. We learned yesterday that credit bureau Equifax’s hit will be closer to $700MM.

Every information security and cyber security professional out there is well aware of the fact that she or he is just trying to keep up with the bad guys. They are consistently one step behind, and being able to communicate through the crisis could result in retaining consumer trust and speeding operational recovery.

In the fall of 2017, Equifax’s reaction to a massive data breach, exposing 147.9MM consumers, was the opposite. Social Security Numbers, birth dates, addresses, and driver's license numbers were exposed. Also, more than 200,000 consumers also had their credit card data exposed.

Operationally, the time between flashpoint and acknowledgement was E.O.N.S. It said the breach was discovered July 29, although it also noted it may have started mid-May. The company publicly acknowledged the breach on Sept. 7!

Then there was a lack of clarity and certainty in its communications from the start, even with the “help” of a leading global PR agency. The flow of information and the presence of leadership was non-existent. Outside of an online statement and an op-ed in USA Today, then-CEO Richard Smith made no media appearances; he put no face to a major operational failure of his company.

Some contrition was present in the original statement:

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes."

BUT IT WAS IN THE FOURTH PARAGRAPH OF THE CONTENT! YOU CAN’T WAIT TO APOLOGIZE AND SHOW EMPATHY! When Smith was finally compelled to make an appearance – in front of a Senate committee on four separate occasions – he repeatedly blamed the breach on a single employee. What a complete lack of leadership!

Other botches include launching a help website outside of the “trusted” Equifax.com site without explanation. Visitors were told there was a five-day further wait to enroll in free ID theft protection and then give up their right to sue the company. When Equifax chose to notify people who were affected, they did so through snail mail. One of its social media channels posted “Happy Friday!” soon after the breach was announced.

I remember my first crisis communications drill when I was at Amoco Corp. (now BP Oil). We conducted a multi-national, real-time drill over 24 hours. We conducted multiple press conferences, mocked various town halls, wrote hands-full of alerts/updates, drafted numerous statements, and granted countless interviews. This was done in real time because we were executing against an operations response plan, as well. We had engineers travel to the Whiting, Ind., refinery; we sent people on planes to South America; we activated chemical plant hazmat departments.

A least once a year, we conducted table-top versions of crisis drills that only took up a business day. But without keeping the muscle memory sharp – ensuring our operations and communications were aligned – we would never be truly prepared for when (not if) an actual crisis hit.

If your organization hasn’t put a plan together, do it now. If your team isn’t trained in how to respond, do it now. If you don’t have a drill calendar set up for consistent workouts, do it now.

Waiting for a crisis to test your capabilities is too late.