How to write a data breach apology
With more than 30 years of legal experience advising companies on technology, data protection and privacy, ex-Google Head of Legal Nigel Jones is now the co-founder of the Privacy Compliance Hub. As more and more companies face cyberattacks, with the hope of stealing lucrative data, Jones explains the key to writing a data breach apology to customers in the wake of a hack.
Death, taxes and now data breaches. Our digital-first world is dependent on the mass processing, sharing and monetisation of personal information… and that’s created an environment where leaks, hacks, and other data breaches are inevitable.
Big businesses can protect themselves with costly cyber security measures, but are they ever truly safe from malicious cyber criminals or the propensity for human error? Recent history suggests not. After all, Twitter, Facebook, British Airways, T-Mobile and easyJet have all fallen victim. Even royalty, Government and charities aren’t immune; the BBC recently covered leaks about plans for the Queen’s death, the incompetent ‘publishing’ of personal details of special needs pupils, and a cyberattack on the Red Cross that stole the details of half a million vulnerable people.
If a risk of a breach is there, it pays to be prepared. If the worst happens, businesses have three things to think about; their legal responsibility, the need to restore trust with the individuals affected, and company reputation in the eyes of the public. A heartfelt, empathetic and informative apology can help with all three. But not everyone gets it right.
Here are some tips on making an A-grade apology.
Get ahead of the news
Nobody likes having their sensitive information inappropriately shared, lost or stolen. But even fewer people like finding out first from MailOnline that their data has been mislaid. If a data breach occurs, speed is of the essence. That means telling the regulator without undue delay (within 72 hours at maximum), but also an ethical – and often legal - obligation to let your customers know what’s happened as soon as possible. Any delay doubles down on the already severe reputational damage of a breach. For example, some British Airways customers found out about a breach from social media and online news, including one who shared her disgust with some of her (now) 131,000 followers. Reputational damage from slow responses is not a new concept; TalkTalk was heavily criticised for a breach response back in 2015.
Acknowledge the pain
The best apologies are always heartfelt and humane, rather than dismissive or deflective. As this Inc.com article shows, T-Mobile CEO Mike Siewert hit the right note by using language such as ‘humbling’ in his own response to a hacker stealing details of 50 million people. Siewert was praised for acknowledging the severity, recognising that customers had been let down, and for including a proper plan of action going forward.
Structure it appropriately
Businesses suffering a breach must go beyond a mere mea culpa. There are two main types of apology. The first is direct reporting of the breach to the individuals affected, where structure is largely dictated by the GDPR; these should also be finessed in a suitably caring style. The second is a more public apology to wider stakeholders, including customers and investors. Unfortunately, too many of these apologies are formulaic. They tend to follow the same approach, and provoke responses like those in italics below:
- The breach was caused by bad people who were really sophisticated - Was your company expecting lovely ‘unsophisticated/stupid’ people to try to steal my valuable data?
- The scope of the breach was very limited – was it really – why are you telling everyone about it then?
- We have now got experts in - why hadn't experts taken care of it before?
- No financial details were compromised/no sensitive data was lost - does that make it ok then that people stole my email address and passwords?
- I know that we said it wasn't a big deal, but we recommend you change your passwords - now I really don't believe you.
Is this really the reaction companies want when they apologise?
Word it carefully
I'd rather companies were a little more upfront and personal. Something along the lines of: “I make it my priority to make sure we do everything we can to protect your personal information. Despite everything we do it looks like someone found a vulnerability, or someone made a mistake. This is our number one priority. We are all over it. We will let you know what happened as soon as we know all the details and we will keep you informed. We are extremely sorry that this has happened, and we know the anxiety these kinds of instances may cause you. I am personally making sure we are doing everything in our power to fix it.”
As a lawyer, I should say that I’m also duty bound to suggest a legal review of any communication prior to publication. But language matters beyond the law courts. Facebook, for example, was slammed for not using the specific word ‘sorry’ in the case of the Cambridge Analytica scandal, despite acknowledging: ‘we made mistakes’. Empathy is the best way forward. Showing you take full responsibility for making things right will maintain trust — blaming it all on bad people when the door was left open is not a good look.
Make sure you don’t have to apologise again
Prevention is always better than cure. While single data breaches can be catastrophic to customer numbers and share prices, they might not necessarily be fatal. A second breach could finish a company off for good.
The best way to stay secure from a breach is twofold. Part one is to invest in the most appropriate cyber defences. But with human error a key factor in the majority of breaches, an equally important second part is creating processes and a culture that prioritises privacy. Businesses should seek to build continuous improvement on privacy into their organisational DNA. Not just to mitigate the risk of a breach and an embarrassing apology – but because it’s the right thing to do.