How to Turn Your Data Breach into a Great PR Opportunity

Responsive treatment of breach victims can transform a bad situation into a relationship-building exercise.

Posted by Dawn Lomer in Corporate Security, Human Resources, Information Security on December 5th, 2011

Data breaches can be devastating for both the companies experiencing them and the victims whose data is compromised. Not only are they time consuming and expensive, but they erode confidence in the organizations that suffer them and lead to unmeasurable losses when they contribute to identity theft. Data breaches cost the healthcare industry $6.5 billion per year and the numbers are climbing.

According to the Poneman Institute’s 2011 Benchmark Study on Patient Privacy and Data Security, health care organizations and their business associates are increasingly lax when it comes to personal health information (PHI) security. The frequency of data breaches in healthcare organizations surveyed has increased by 32 percent, with hospitals and healthcare providers averaging four data breaches per year. The study cited employee negligence as the primary culprit.

Communication is Key

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

The study showed that 96 per cent of the 72 respondents had suffered a health care data breach in the last year, with lost or stolen computer hardware, third-party errors and unintentional employee action ranking among the major causes. The resulting communication from companies experiencing the breaches is alarming for those whose information is compromised.

But it doesn’t have to be. In fact, health care companies can use the negative situation to help build better relatioships with their patients or clients, says Christine Arevalo, Director of Healthcare Identity Management at Idexperts, which specializes in data breach solutions. “We call it positive outcome,” she says.

Treat People as People

Arevalo says that companies often treat data breaches as a risk, without paying adequate attention to the people who are affected. “They are treating the affected population more as a risk management checklist, as data elements, or as exposure or as a regulatory hiccup, and less like human beings. So that’s the angle with which we approach data breach response,” she says.

It’s important for companies to recognize that the risk to their brand and image is far more devastating than the cost of responding appropriately, advises Arevalo. Turning the communication with victims into an opportunity to for honest dialogue and transparency can strengthen the company’s relationship with its patients.

“The first thing we do is try to educate folks about a compromised identity and an actual identity theft. There’s a lot of misconception and misplaced anxiety because of that lack of distinction. The first thing to remember is that you’re not necessarily a victim of identity theft just because you got one of these letters. In fact there’s a lot of press right now about notification fatigue,” she says. “Consumers getting so many of them [notification letters]. So they’re not necessarily taking the time to read them. They’re hard to read sometimes too and understand. So they’re not necessarily applying the appropriate risk mitigation stategies to their own personal situation.”

Monitor and Share

Actions include crisis communications, public relations and social media monitoring to protect and preserve the brand and reputation of the organization. Social media monintoring can uncover what clients are saying about the situaiton and the company, what they are feeling and how they percieve the handling of the situaiton.

“We’re not necessarily trying to turn this whole thing around into a positive thing, because it’s not,” says Arevalo. “But we do want to try to neutralize the damage. And just by taking the time and spending the money to talk to people and to candidly share with them and to educate the consumer and arm them with tools and resources so that they can better protect their personal good name… we get a positive outcome,” she says. “In the end it’s as easy as that.”

Dawn Lomer
Dawn Lomer

Managing Editor

Dawn Lomer is the managing editor at i-Sight Software and a Certified Fraud Examiner (CFE). She writes about topics related to workplace investigations, ethics and compliance, data security and e-discovery, and hosts i-Sight webinars.