When reporting data breaches, how should audience empathy be informed?
Claudiu’s Observation: As we browse cybersecurity news headlines, we read about companies "suffering" breaches and "falling victim" to hackers. But if the public is expected to immediately muster empathy for the company, what is left for the human victims whose most valued possessions - their identities - have potentially been shared with criminals?
In (ostensibly reluctant) breach a̴d̴m̴i̴s̴s̴i̴o̴n̴s̴ ahem, notifications, companies are often quick to point out that they have "detected no misuse" of the stolen data, among other signals apparently intended minimize the impact, reduce their blame or at least avoid causing anxiety in their audience. While this does not overtly deny the harm to customers, it clearly strives to keep the focus on the heroic narrative of the embattled company valiantly standing between the hapless individual and the forces of evil.
Why do we see the emotionally charged battle to embody victimhood in everything from military (where atrocity propaganda is currently testing peak levels) and political action to lawsuits and data breaches (where organizations and even school boards sometimes take drastic steps to silence whistleblowers)? Because human nature is such that the victim might suffer embarrassment but they may be spared the vastly more expensive reputational damage inherent in the implied negligence that lies at the root of all security incidents.
Fair enough, but why is reputational damage to be avoided at the cost of dignity, embarrassment and even public humiliation? According to Forbes, 45% of organizations suffer reputational damage as a result of data breaches directly attributed to them and 19% of brands are tarnished even when the blame can be pinned on a third-party.
The value of trust goes very far, when we consider that 65% of data breach victims lose trust in an organization as a result of the breach (Centrify), 85% tell others about their negative experience and 1 in 3 yell it from the rooftops of their social media platforms. Even the multinationals with the deepest pockets see a 9% drop in global earnings as a result of privacy-related breaches (FTI research).
When interviewing certified professionals with relevant expertise, always ask yourself:
2. Is there a risk of conflating breach enablers with breach victims?
3. What is the unfolding crisis and does it present a real, ultimately financial risk to corporate trust and reputation, or was the event unpreventable?
We are often reminded that some 80% of a company's value is locked in those intangible assets including brand equity, intellectual capital, good will and the data troves craved by hackers everywhere, but according to the World Economic Forum, a sobering 25% of that intangible value is taken up by the organization's reputation.
“It takes many good deeds to build a good reputation, and only one bad one to lose it.” — Benjamin Franklin
For professional analysis and media soundbites by a certified security and privacy expert with 35 years of experience, click here to request an interview with Claudiu Popa, author of the Canadian Cyberfraud Handbook, CEO of Datarisk Canada, President of Managed Privacy Canada and co-founder of the KnowledgeFlow Cybersafety Foundation, Canada's only non-profit dedicated to bringing digital literacy to vulnerable sector audiences via accredited data protection professionals.
This weekly newsletter is the product of manually curated news presented with the expert commentary of Claudiu Popa. As a weekly publication intended for media and information professionals, the objective is simply to outline common threads flowing through current news stories and identify opportunities to ask the questions that matter.
Whether you are a professional journalist or a passionate subscriber, this is your opportunity to gain actionable insights into the actual harms and the questions that matter about the real impact of cybersecurity.
Know a media professional? Offer them the Media Cybersecurity Briefing? It’s completely free (for now).
Member discussion: