I'd Like to Buy a Vowel: The Price of Poor Communication During a Data Breach

Mitch Mayne: When a data breach happens, we tend to turn introspective. How did it happen? Who did it? How can we prevent it from happening again? Well, the one element we don't generally talk about is how a data breach is communicated. Well, that is, unless it's done really badly. And sadly, the last few years have given us some pretty stark examples of how not to communicate during a breach. No names mentioned, although we may get to a few of them in this episode. What exactly is good communication during a breach? Not only communication to customers or the public who are likely the ones who've had their data compromised, but communication inside an organization. In a world where marketing may never talk to HR and legal may never talk to IT, how do we get those wires connected to coordinate what we say? In this episode, we sit down with Loren Dealy Mahler. She's built a career managing cyber crises, helping organizations know what to say, when to say it, and how to say it. She's the co- founder and president of Dealy Mahler Strategies, and she joins us today to shed some light on one of the lesser mentioned elements of a cyber attack, how we communicate when we have one. I am Mitch Mayne, and you were listening to Into the Breach. Loren, tell me, if you had one piece of advice or you had a CEO alone for 30 seconds to give him or her advice on how to handle a data breach from a communication perspective, what would that piece of advice be?

Loren Dealy Mahler: Well, I think that I would tell them that a skilled technical response team can ensure that they still have the data and the infrastructure to come back to work after an attack and ensure that everything is still there, but a skilled communications response, a skilled communications team, an expert can make sure that they still have a business that actually runs once they get there.

Mitch Mayne: Wow, mic drop. That's pretty powerful. When we think about the communication profession, we don't often think about cyber attacks, and yours is a job that didn't really exist a decade ago. Why do you think it exists today?

Loren Dealy Mahler: I think it exists today because a lot of people learned the hard way over the last decade or so that the traditional crisis communications teams, the traditional PR teams that exist either in house at a company or on retainer from an agency are great at what they do and they've always been very good at what they do, but just as the whole concept of a data breach and a cyber attack has evolved to become a little more mainstream, people have realized that the traditional playbooks that those really great crisis teams have always used don't actually help them as much as they thought they did in these situations. A lot of folks have gotten themselves in a lot of hot water trying to employ those same old playbooks in the context of a cyber incident. They've had to realize that there's a specific expertise, a tweak that needs to come into play.

Mitch Mayne: Spoiler alert for those of you who are listening, Loren and I have actually had the opportunity to work on a couple projects together. She and I have both kind of seen some eye- opening moments and heard some eye- opening responses from folks around the communication of data breaches. One of the quotes that we got, Loren, that I want to read to you and I want you to tell the readers how it makes you feel is this, " My communication team has a crisis response plan already. I don't need to have one for a cyber event." Why does this send chills up your spine?

Loren Dealy Mahler: That to me when I hear it says that the person speaking, most likely, if I'm placing this correctly in an executive role, a senior role is somebody who does not yet fully appreciate the situation that they could find themselves in when it comes to a cyber incident that, " We've already got a team. They already know what to do." And that's great. I'm sure they do. If you have some type of executive scandal or corruption crisis, product malfunction breakout, then they're going to be fantastic at managing you through that. What it tells me is that you don't fully appreciate the changes and the nuances that will exist as you try to manage a cyber situation. The fact that that traditional playbook that we keep calling about, that crisis playbook, isn't going to help you. It's got some very specific steps in it that are probably the opposite of what you should be doing in a cyber situation and you're quite likely going to make things harder for yourself. When I hear you say that, I realize you haven't quite yet fully appreciated that.

Mitch Mayne: Yes. History has shown us that I told you so moment has come far too often for far too many organizations, individuals, and our public officials. Let's talk about a little bit between the difference between just a generic crisis response plan about a power outage or a natural disaster. What's different between that and a cyber communication plan?

Loren Dealy Mahler: In my mind, the biggest thing that changes as you shift from one of those scenarios to the other is the amount of information that you know and when you know it. I think it really boils down to what do you know and how soon do you know it. When you're facing a more traditional crisis, then you tend to know what happened. When there's been a natural disaster, you know what happened. You may not know the full impact of it, you may not know all the specific ramifications of that event yet, but you know this is the thing that occurred, here's the damage that it's done. We're still figuring it out. You want to get that out there. When it's more of a manmade crisis, something in the sort of scandalous realm, then when you find out the things that are happening, you intentionally flood that information out there so that people absorb less because you've given them so much more, and then you move on from that. In the situation of a cyber incident, you don't have that luxury because quite often there is no single moment where everything has happened and is finished happening, and then you see what has happened and move on. You just don't have that option because it very often takes quite some time to be able to figure out what has happened. It's just the nature of the incident, figuring out that something has happened. Learning about it along the way just by design means that you can't push all the bad stuff out at once because it keeps coming out. The pure nature of the beast means that information will trickle out, which is the exact thing you're trying to avoid in a traditional crisis situation. You don't want stories to keep coming up over and over and over as new information comes out, but that is what you will have just by sheer nature of the incident in a cyber event. You have to position yourself from a communications perspective early on so that you have set the stage for new information to come and you've set the expectation that you will have updated information along the way, so that rather than drawing a story out or learning something new and changing your initial positioning, you are updating people rather than changing the facts.

Mitch Mayne: Ooh, I like that. That's actually really good, updating people versus changing the facts. What I hear you saying, and I think this is true, is when you're talking about a cyber crisis, more often than not, these are dynamic situations. If you follow the correct playbook, you're going to be communicating them while they're still occurring. You're going to have your incident response teams and your technical teams trying to solve the technical side of the crisis and uncover forensics over how bad the damage was. And at the same time, you're going to have to be communicating it. It's really kind of a live on the spot event, which is very different than some sort of scandal or a tree falling over a power line or something like that.

Loren Dealy Mahler: Absolutely. That's completely true. You're reporting out facts as they come up. The way that you do that in that initial period right after something has occurred when you're first communicating, you essentially set the groundwork. You lay out the vector that you're going to move down throughout that event as long as it may take and doing so in a way that allows that new information to enhance people's understanding of the incident, rather than question your credibility makes a really big difference. A traditional playbook, while great for some incidents, is not designed to do that well.

Mitch Mayne: Let's talk about some missteps in communication. There's a lot of examples to pull from, but I want to pick on a couple specifically today. The first one I want to talk about is the Atlanta cyber attack in 2018. I think you and I both saw the initial press conference that then Mayor Keisha Lance Bottoms gave. I think we saw that at the same time. She was asked a question by a reporter in that first press conference. My heart goes out to her. She was clearly nervous through that whole thing, and she was really on the spot. The question from the reporter was, how widespread is the attack? Does this affect the public beyond the outages for the DMV and getting my house permit? Her response was one of surprise and she stammered a bit and stuttered and looked around. She just looked scared. She went on to say that she didn't know. Perhaps everybody who was listening to this should go check their bank accounts immediately because the threat actors could be in there and that sort of thing. You saw this too. Was that a good response? Let's just ask you that question. Was hers a good response to that question?

Loren Dealy Mahler: No. I don't think it was a great response to that question. You're right. Just watching that, your heart went out to her and to her team as they were trying to both wrap their heads around what was happening in the moment, but then also put the public face to the moment at the same time.

Mitch Mayne: Did you cringe when you watched it?

Loren Dealy Mahler: I cringed.

Mitch Mayne: So did I. So did I.

Loren Dealy Mahler: I cringed just now listening to you repeat it. Listening to you describe it was cringe- worthy over here. There are a couple rules of thumb that I always try to counsel people on regardless of the specifics of an incident. One of them is that from a business perspective, the perspective of an organization who is experiencing an incident, your goal is to get to the other side with as minimal damage as possible, with as little of an impact. That means that people still trust you on the other side, people still think that you are a viable organization, a business, a public office, whatever that is. Part of maintaining that trust throughout the situation is projecting an air of stability and control even when you don't know what's going on. Being able to say, " Here's what we know. We don't know more than that, and we will get back to you and there is more information, but here's what we're doing in the meantime to try and figure it out," gives a much better impression of the way that your team is managing the situation than what we saw in Atlanta of basically translating it into, " I don't know, but my body language is panicked, therefore you should probably panic, and they might have all your money already."

Mitch Mayne: Wasn't that speculative and isn't like speculation in a press conference on a cyber attack like the kiss of death?

Loren Dealy Mahler: I mean, speculating pretty much in general, particularly as a public figure, is never helpful. Exactly what you said. When you are in a situation that is unfolding at an unknown pace, particularly something like a cyber event, then 100% do not guess ever. There's no speculation. Again, this is where it differs sometimes from advice that you will often get from traditional PR pros in traditional crisis situations. It's okay to say, " We don't know, but we're figuring it out." It's important to follow up that we don't know with we're figuring it out and here's how, but to just guess is that thing that immediately draws into question your credibility from that point on and makes it very hard to recover from that.

Mitch Mayne: I also like the fact that you picked up on her body language. I mean, part of what made my heart go out to her was she completely looked under the microscope and unprepared. That was a tough moment for everyone who was on the good side on this one. Hey, let's talk about another one. There was a blog put out in 2017 called How to Burn Your House Down in 24 hours or less, The Art of Equifaxing. Oh wait, you wrote that blog.

Loren Dealy Mahler: That does sound a little familiar. Ringing a bell over here.

Mitch Mayne: I want to talk about Equifax. I'm just going to give you a broad brush question here because I think that there is so much to talk about. You can pick out three or four highlight gems. Loren, tell me what went wrong.

Loren Dealy Mahler: Let's start with the initial communication, not even a communication down the road. Yeah, that's kind of funny that you pulled that one out. What I saw happen in the very initial moments of the public being aware of the Equifax breach, and you can't even say the initial moments of the breach because we didn't find out about it for so long. I think it was, what, over a month, month and a half, 30, 40 days, something like that, before they actually informed the public of what had happened. The mistakes that they made initially early on, I mean, it was almost textbook of what you don't do. They waited too long to actually notify anyone, to notify the victims so that they could take any necessary steps to protect themselves or to monitor themselves. They knew this had happened a long time, but they didn't bother to tell anybody. Step number one, because remember, our goal here is to make sure that people still trust you enough to do business with you at the end of the day. Then I had a big problem with the statements that they put out initially in the beginning. The one that really bothered me was the statement that came out online from the Equifax CEO in the very beginning that the very first... I know it's a written statement, but the first words out of their mouth had to do with themselves. Basically, rather than saying, " This happened. We're taking care of you, our customers. We're looking into this. We're sorry for the inconvenience," none of that. It started out with, " Oh my gosh, I can't believe this happened to us."

Mitch Mayne: What was the quote? Read the quote.

Loren Dealy Mahler: The quote was, " This is clearly a disappointing event for our company."

Mitch Mayne: Ow! 50% of all Americans have their data swiped and that is their position that they're sorry about what happened to their company?

Loren Dealy Mahler: Right. We're sorry this happened to us. Oh, by the way, yeah, you may have lost some stuff too. It's just backwards. It's completely backwards. That's definitely not the way to convince your customers that you actually care about them as a company. Even if they already think maybe you don't, don't confirm it for them. And then everything that they did in those initial days that was public facing went wrong because it was so poorly designed, poorly planned, written up on the back of a napkin, executed poorly, et cetera. There was not a consistent reliable means of putting out information from anybody. You started questioning everything they were saying in order to get any information and find out whether you were impacted. You had to enter personal information online to a website that they had just sort of set up on a whim. This giant company lost 50% of everybody's personal information and they want you to go to this fly by night website and then enter your personal information. There's a disconnect there between trust and user experience.

Mitch Mayne: Trust us. We just lost your data. Trust us again. What is that?

Loren Dealy Mahler: Right. It's almost like saying, " We lost it. Can you give it back to us?" I'm not sure that was really what they were going for.

Mitch Mayne: No, but I see the joke there. That's good, Loren. That's good. I like that.

Loren Dealy Mahler: I mean, you have to laugh about it. It's been, what, four years now? But the call center folks who were supposed to be answering questions and who were set up didn't have consistent, reliable, useful information either. It just kept on going, and it became very clear that there was no attempt to care, if you will, about what customers were going through, about people's experience in this moment. No attempt to allay their concerns or their fears or provide them information that could give them something to say, " Okay, that's fine. You're working on it. Here's what I need to do." It was just totally inwardly focused, and the outward stuff was more just like they were trying to check a box, but they weren't doing it very well.

Mitch Mayne: That doesn't even count all of the mischievous backhand or backdoor events that were taking place with stock and everything like that, which is not the focus of this podcast, but there was a lot of backend stuff. It was going to damage them enough already, their communication could have served them a little better, right?

Loren Dealy Mahler: I mean, they could have at least put out enough proper communication to have bought themselves enough good grace to be able to weather that next storm. In this case, I always describe it as you have to stop digging. When something goes wrong, okay, great. Figure out how you're going to get out of the hole, but the way to get out is not to keep digging and make it deeper. And that's exactly what they did. They were in the middle of this poor customer response, and then the news came out that during that time when they weren't telling anybody about this, their executives went off and sold all their stock and made millions of dollars. They were fine. The rest of you, I'm sure you'll be okay.

Mitch Mayne: You're right. That was almost five years ago now. That was 2017. I still get advertisements from that repository to sign up for credit safety. The first thing that I think of when I see that email in my inbox is, has there been another attack? I don't think about them as protecting me. I think about them as somebody that I don't trust, and that's five years later.

Loren Dealy Mahler: Right. Somebody who's not protecting you, but they're really making sure to protect themselves.

Mitch Mayne: Let's talk about somebody who got it right and tell me what they did well and what the impact was.

Loren Dealy Mahler: My favorite example of a company that got it right, not only because you don't get to talk about the industry a whole lot, is Maersk, the global shipping all the things. When they were part of the attack and they were completely shut off from all the different elements of their business, they had lost the connection, the communications, the contacts, et cetera, it was all done. It's helpful a little bit to understand a little bit of their structure. As a global shipping company, they have their headquarters office, but then they reach out into ports all around the world. They have employees and they have staff in all these different roles around the world. There is cargo coming in, going out, being tracked, being transferred from containers on ships, containers on trucks, in warehouses, and everything else in between. A very, very complex ecosystem within that company structure.

Mitch Mayne: Completely shut down.

Loren Dealy Mahler: Completely shut down. Absolutely. If you think about how important it might be for somebody who's managing a massive global port to be able to understand what's coming and going through that port, that times however many situations they were in around the globe. It was massive. But what they did, and I love this from a communications perspective, they basically said, " You know what? We don't have visibility into what's happening in each of your locations. We don't have visibility into what's happening at those ports, with those containers, with those ships, with those trucks that are waiting. We are going to delegate the authority to just make it go to each of these individual locations. We want you to figure it out, make it happen, keep the customers first and foremost, and do what you need to do to get their goods moving the way they rely on us to do. Whatever it takes, make it happen."

Mitch Mayne: Tell us the quote. Do you remember it?

Loren Dealy Mahler: I don't remember the quote. I remember everything they did, but I don't remember their quote.

Mitch Mayne: The direction given by the senior leader of the company to everyone in the company was basically do what is right for the customer, we will cover the cost, which is starkly different than what we saw with Equifax. This one is extremely customer centric, client centric. The Equifax one was extremely company centric.

Loren Dealy Mahler: The quote here, they are putting the customers first, covering the cost of whatever that is. Equifax was very clearly ignoring the customers and covering something else.

Mitch Mayne: Yeah, that's very clever. I appreciate that. The funny thing is, is when we started off this question talking about Equifax, talking about the fact that that was five years ago, Maersk was the same time or not longer ago, right? Does anybody ever talk about Maersk? Do we think about cyber attacks when we hear the name Maersk? I don't.

Loren Dealy Mahler: I mean, we do because we're giant nerds who dig in this all the time, but yeah, no, normal people don't. If you say, " Tell me a data breach that you remember using common vernacular. Tell me about a data breach you remember from the last few years," you're going to get people who say Equifax. You're probably going to get a lot of people who say Equifax. But you're right, nobody is going to say Maersk. The cool thing to me about what they did went a little bit beyond just putting customers first. But I think emphasizing why that was so important is a point that's easy to lose is that when we talk about getting through an incident and on the other side, you want to make sure you still have enough customer trust and loyalty so that you can continue to have a business, in this case, they may have lost hundreds of millions of dollars, and I believe they did in this particular event, but the customer loyalty that they earned by doing as much as they were able to do with WhatsApp communications and sticky notes on the windows and the handwritten clipboards at the points of entry, all of that in the long- term from a business perspective benefited them so greatly because they made very clear where their loyalty stand and it's to their customers, not to themselves.

Mitch Mayne: I was actually going to ask you about that is, what do you think the intangible benefit was here? I mean, I live on San Francisco Bay, so I see these ships go in and out all the time. When I see the Maersk ships go in and out and when I see a Maersk ship, it's like I don't have the same reaction I do when I see an Equifax email in my inbox. It is a dramatic difference in the way it makes me as a consumer feel. That intangible benefit that they reaped, you almost can't put a price tag on that. Isn't that our dream as communication people?

Loren Dealy Mahler: Absolutely. Millions and billions of dollars are spent every year trying to increase the strength of reputation that way. Trying to make sure that somebody looks at your name, your logo and says, " Yeah, I have a warm fuzzy feeling about them." How often do you have a warm fuzzy feeling about a shipping company? I don't ship a lot of stuff, so not a lot. But being a nerd at heart, I see a Maersk container drive down 95 near where I live and I think, " Yep, that's those guys. They're doing it right."

Mitch Mayne: I want to switch gears here quickly and talk a little bit about policy. We have the Biden administration who is putting a laser focus on cybersecurity with a new cybersecurity executive order. We have yet to see exactly how that is going to roll out, what the mandates and requirements are going to be from both a technical perspective, as well as a communication perspective. Let's put on your prognosticator hat and tell me what you think we might expect to see that executive order do to communication. What do you think the outcome will be?

Loren Dealy Mahler: I love seeing these things come into being and knowing how much work and how much time and effort and just general expertise was brought to bear in something like this. I think one of the pieces that stood out to me as someone who looks at it with an eye towards the communications lens is that there's a big emphasis on reporting requirements that people have toyed with and different regulations and things that we've seen in the last few years have different emphasis on reporting requirements and timelines and content and things like that. Reporting and notification issues in general. But when you have reporting requirements and you have notification requirements, you all of a sudden have companies and organizations who are more regularly and consistently telling about what happened when quite often the natural self- preservation interest is to not tell, and now they're being forced to tell. The how you manage the telling becomes more important. How you handle the communication aspect of that reporting requirement or that notification now matters because it is out there. You are required to say something and tell someone about it, even if it's just a government agency. But when that happens, there are ways to do that that can benefit you and ways to do that that can make it worse.

Mitch Mayne: Well, also, if you're required to report something, and you and I both know this from being in the communication field, the minute you make a statement about Loren Co has been hacked and you give it to a regulator, everybody's going to know about that. I mean, whether or not the regulator publicizes that immediately, but that's going to be out there in the public domain. Doesn't this actually make the case for having to spring your plan into play even more nimbly and more rapidly and more accurately?

Loren Dealy Mahler: Absolutely, it does. Because like we've been saying, any time that you have to communicate something that has happened, the information is going to be out there and now you have an obligation to make sure that it's out there to your benefit, or the minimum, at least it is out there not to your detriment. Like you said, a reporting requirement, especially one that goes to a public agency, it is going to be public. Particularly if the thing you're reporting is in any way, shape, or form interesting, it is going to be public. Whether you're interesting, whether the incident's interesting, whether someone's having a slow day, whatever, it's going to be out there. Having a plan in place ahead of time of how you're going to manage that and making sure that that plan is built in a way that allows it to be nimble and flexible to the situation at hand is really going to benefit those companies who can have that foresight to handle that ahead of time and to have those plans in place ahead of time in a way that lets them benefit from that notification requirement.

Mitch Mayne: Walk me through this. I'm just thinking in my head as you're talking. If reporting requirements are accelerated and Loren Co gets hacked and Loren Co is required within 48 hours or 24 hours or whatever it is of finding out that she's been hacked, discovery, if Loren Co is required to report that to a regulator and you don't report it to the public at the same time, what's going to happen?

Loren Dealy Mahler: Well, I think you find yourself back in that situation of, have I done everything I could do to make people trust me and to maintain my credibility in this situation, or am I doing something that makes it worse for myself? As with any bad news, anywhere, anytime, hearing it from the source versus hearing it from a third party always makes a difference.

Mitch Mayne: Yeah, that's what I was thinking too. Own the message. Whoever delivers it owns the message.

Loren Dealy Mahler: Exactly. They own the message, so they can paint it any way they like. But at the same time, if you think about let's say a friend did something and has chosen not to tell you about it, but you find out about it anyway, you're now only not just upset about the thing, you're upset at the friend for not telling you the thing. We don't have to pretend like we have close buddy- buddy relationships with every company we do business with. But when it comes to a reputation that they are working very hard to maintain and customer trust and loyalty that they're spending, as we said, millions of dollars to grow, then an unforced error that causes you to lose some of that credibility and that trust, it's just not worth it anymore. It's completely self- inflicted and unnecessary.

Mitch Mayne: Unforced error, I like that. We certainly do see a lot of them on the communication side for cyber breaches. Let's end with a lighter note here. I want to hear what your favorite quote is about communication, because I know that you are a total word nerd, and that is said with love because I am too. What is your favorite communication quote? I'll tell you mine actually. I'll make it fair. I'll level the playing field. I'll share mine, you share yours. You share yours first.

Loren Dealy Mahler: Okay. Mine has very little to do with security or cyber, any of that.

Mitch Mayne: Nor does mine.

Loren Dealy Mahler: I love the Warren Buffett quote. " It takes 20 years to build a reputation and five minutes to ruin it."

Mitch Mayne: Obviously that was written before the internet because it's more like 30 seconds now.

Loren Dealy Mahler: Absolutely. Followed only by my second favorite quote of, " A computer lets you make mistakes faster than any invention in human history."

Mitch Mayne: Mine is also not related to technology. It is by Anne Morrow Lindbergh, and I think you'll appreciate this one. It's" good communication is as stimulating as black coffee and it's just as hard to sleep afterwards."

Loren Dealy Mahler: I love it.

Mitch Mayne: There you go. There it is. Loren Dealy Mahler from Dealy Mahler Strategies, thank you for being on the podcast today on Into the Breach. A special thanks to our guest, Loren Dealy Mahler, for her time and insight in making today's episode. If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify. You've been listening to Into the Breach, an IBM Production. This episode was produced by Zach Ortega and Clara Shannon. Our music was composed by Jordain Wallace, with audio production by Kieron Banerji. Thanks for venturing Into the Breach.