This content is part of the Essential Guide: An IT security strategy guide for CIOs

Essential Guide

Browse Sections
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to handle a data breach: Managing public perception

When your organization plans out how to handle a data breach, managing public perception should be given special consideration. One piece of advice: Don't play the victim.

Your company was just hacked. Remediation likely will be painful and expensive. But, whatever you do after a data breach, don't paint the company as a victim.

Recent research from MIT's Sloan School of Management shows that even though the public feels bad for the individuals affected by the breach, it does not feel sympathy for companies targeted by hackers.

Tage Rai, the MIT postdoctoral research associate and lecturer who led the research on this topic, said the public response to corporate events is a study in psychology. The public perceives companies as having identities and the ability to think, but the public does not perceive corporations as having the ability to feel. People essentially perceive most corporations as cyborgs, Rai said. As a result, he explained, corporations can elicit anger but not sympathy.

Tage Rai, postdoctoral research associate and lecturer, MIT Sloan School of ManagementTage Rai

"If they do positive things, companies get just as much credit as do individuals. Companies [also] get blamed for the bad things they do, but they won't get any sympathy," he said, noting that small entrepreneurial operations and family businesses tend to escape this as they're not seen in the same light as bigger "faceless" corporations.

Given this public response, Rai said companies must be thoughtful about planning how to handle a data breach in the public arena.

"If you can't paint yourself as a victim, and you don't want to be a villain, then your only choice is to be a leader. You have to take a leadership role," Rai said.

If you can't paint yourself as a victim, and you don't want to be a villain, then your only choice is to be a leader. You have to take a leadership role.
Tage Raipostdoctoral research associate and lecturer, MIT Sloan School of Management

Pointing to the 2013 Target data breach, he said the data breach was bad enough, but the slow response from executives as well as the incomplete and inaccurate information released by the company in its aftermath likely added to its costs.

On the other hand, corporations that skillfully navigate their way through a crisis can minimize the public blowback, Rai said.

"They own up, they take responsibility, and they take proactive steps to make sure they're seen, at least in the public's eyes, as leaders in making sure this doesn't happen in the future," he said.

How to handle a data breach: 'Dual hats' for IT leaders

Emily Mossburg, a partner of cyber risk services at Deloitte Advisory and leader of the resilience practice, said the findings likely won't shut down PR efforts to garner public sympathy after a data breach, but the research underscores an important fact about data theft that executives must come to grips with.

Emily Mossburg, partner at Deloitte Advisory Cyber Risk Services and leader of the Resilience PracticeEmily Mossburg

"[The study reinforces] that this isn't just a technology issue. It really is a holistic business problem and it needs to be managed as one," Mossburg said.

This is where CIOs, CISOs and other IT leaders need their executive chops to come to the forefront, she added -- even as they're deep into the technological challenges of dealing with a breach.

They need to be ready to inform and educate key players on what happened, what's occurring currently and what will improve in the future to better prevent another breach.

Moreover, these IT leaders must be able to inform and educate not just the CEO and the board after a breach (something most of them are doing already). They must also be prepared to instruct the crisis management team, public relations people, regulatory professionals and perhaps even the public itself.

"There are some organizations where the CIO -- or the CISO or the chief risk officer -- is the quarterback of all of this. They're the quarterback pulling together all the parts of the organizations," Mossburg said.

IT leaders in this position are "definitely wearing dual hats," after a data breach, she said. "They need to be focused on the technical elements and making sure everyone in their organization is doing their part. At the same time they're playing a coordinating role as part of the crisis management team and, as said quarterback, helping to coordinate across all executives making sure they have all the right information."

Andrea Hoy, president of the Information Systems Security Association (ISSA) and CEO of A. Hoy & Associates, said all companies should have an incident response plan that provides what steps its executives, including the CIO, need to take following a suspected or validated breach. That includes how they will help in managing public perception.

Hoy said she sees the CISO or the risk and privacy officers as the ones most likely to be put in front after a data breach. But, she added, in any plan for how to handle a data breach, the CIO and the IT staff will still play a critical role in "ensuring the messaging to the public is timely and accurate."

Next Steps

How to handle a data breach: Executive advice

The wrong kind of data breach notification letter

Lessons from the Sony Pictures hack

Dig Deeper on Enterprise disaster recovery and business continuity planning