E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: MerchantFraudSquad.com

Posted on August 21, 2001

      No company wants its site to be hacked. But despite firewalls, encryption techniques, and your own best efforts, it could still happen to you. And if it does, you'll need to be prepared to communicate to the public.

      For insight, we've spoken with Nancy Muller, vice president of public affairs at American Express.

      "From a public relations perspective," says Muller, "the communications goal during a crisis is to ensure that when the crisis is over, your behavior leaves your company's good name intact. Your customers and employees should think you've behaved responsibly, and that you've acted with integrity. If your company is public, your shareholders should also believe you've protected their interests." To help you do just that, below are Muller's tips for dealing with a crisis before, during, and after it occurs.

Before a Crisis Occurs: Plan, Plan, Plan

      "Unfortunately, by its nature, a crisis takes you by surprise-you won't be in control of all the events," says Muller. "But with some planning, training, and forethought, you can develop a procedure that can help you ride out the storm with considerably less damage to your company's reputation."

      According to Muller, here are some planning tips to consider:

      "Develop a map or organizational chart of the chain of command for decision-making during a crisis," says Muller. This will avoid confusion later. You should also have a 24-hour contact list with beepers, phone numbers, and home numbers, in case the crisis occurs after hours or over the weekend. And don't forget to have one or two back-up names if someone can't be reached. This contact list should also include those in customer service, IT, and fraud prevention.

      "Pick somebody in authority to be the voice of the firm," says Muller, such as your CEO. You should have at least one back-up in addition to the main spokesperson, and media train both of these people for the job.

      "Media training will help your spokespeople learn what's relevant to talk about and what's not," says Muller. "It will also help them feel comfortable talking publicly." For example, says Muller, "you can anticipate where problems may crop up and do role playing-with you playing the reporter or worried customer."

      This training should also extend to any of your employees who handle customer phone calls or who may receive calls from the press. You should prepare a fact sheet that tells them where to refer press calls and how they should respond to customer inquiries.

      "Develop a plan for learning the facts," says Muller. You'll need to communicate the facts to the public, but first you have to find them. Establish what you must learn, who will track down the information, and how to relay the information to your corporate communications, IT, fraud prevention, payment processing, and legal departments-and to law enforcement if necessary.

      "Develop a plan for communicating the facts," says Muller. Determine at what point you need to contact your customers, the press, or other stakeholders. Although you don't have to tell the public every time your site goes down," says Muller, "you should initiate communications as quickly as possible if your customers become vulnerable."

      "Determine how your communication will be delivered," says Muller. Will you e-mail employees? Call departmental managers? Develop different scenarios based on the number of people affected by the crisis. If a small percentage of people are affected, it may be realistic to contact them directly by e-mail or phone. If a large number are affected, you might want to communicate more broadly by mail. But remember, says Muller, "you don't want to alarm people unnecessarily. Always use the method that best reaches your target audience."

      "Make sure you back-up customer data systems," says Muller, "and be sure you have a place to store your customer contact information if your site is jeopardized, so that you can contact your customers if you need to."

During the Crisis: The First 24 Hours

      "The public is likely to judge you on your actions within the first 24 hours," says Muller. "That's why it is critical from the very start to communicate honestly-and acknowledge when you don't have all of the facts."

      For this reason, says Muller, "it is important to contact your customers as soon as possible. If they are in jeopardy, you want to tell them before they learn about it on the news." You should also prepare your customer complaint center, and let your employees know about the situation.

      In addition, if your company is aware that it has been hacked, you-and your company's spokesperson-"should be prepared to talk to the press," says Muller. This means you need to determine the facts quickly and have your statement at the ready.

      And whether you are talking to the press, your employees, or your customers, remember these tips:

      "Be accessible to the media," says Muller. Otherwise, it may be reported that you were not available to make a statement, which can give the appearance that you are trying to conceal the incident.

      "Don't be defensive if you don't have all the answers right away," says Muller. Instead, be up-front about what you do and don't know, and let people know when you expect to be able to provide an update. In some cases, you may even be asked to comment on an issue you don't know anything about. In that case, says Muller, "the first thing you want to do is ask the reporter when his or her deadline is, and let the reporter know you will contact them once you can gather more facts."

      "Never speculate," says Muller. "It is human nature to try to fill a void during a crisis with calming commentary. But you can appear to be misleading or dishonest if you have made the problem sound minimal and it turns out to be more serious."

      "Be sure to express your company's concern for any personal loss, if it occurred," says Muller. This will reassure your customers that you care about what happens to them, and that you are aware of the implications of the hack on their own lives. You are responsible for your customers' online security when they are on your site, and should refrain from blaming another organization or naming people you believe are responsible for a crime. If anyone is arrested, it will become a matter of public record, and the police may release the names.

After the Chaos: Following Up

      Once the initial inquiries have been answered, you will have time to do further research and determine more facts. If you decide go back to the press or your customers with more information, Muller suggests these tips:

      "You should explain what you are doing to protect the customer, shareholder, or any other group that may have an interest," says Muller. To do this, you may want to go over the details of the event, including: Cause Number of people affected People in charge at your company for monitoring this type of problem Function or area of the site that may have been jeopardized Status of your business activities that were impaired Measures in place to help your customers who were affected Procedures to prevent this from happening in the future

      "Help shape the tone and scope of the story," says Muller. For example, instead of reporting that 10,000 customers were affected, report that this represents just one percent of your customer base. As a result, you can show that only a small portion of your customers was actually affected.

      You can also help by "distinguishing the tangible from the emotional," says Muller. For example, if a hacker gained access to your customers' favorite colors and waist sizes, it may make them feel uncomfortable-but it does not mean that financial data or credit card accounts are at risk.

      "Be sure you have pinpointed groups beyond your immediate customers and customer service employees who might want to know about the status," says Muller. "If the incident is significant, you may want to communicate directly with them." These people may include: Employees (beyond those in customer service) Regulators Elected Officials Investors Board Members Suppliers, vendors, contractors Corporations sharing your server space Opinion leaders or special interest groups

      "Reassure your customers about your security procedures," says Muller. Post them on your site, and add them to your routine messages, such as bills or marketing materials. "But be sure to weigh the consequences," says Muller. "Will this upset or reassure your customers?"

      Work with law enforcement to make sure "you know about any information they may release in the future and when they'll do it," says Muller. Enforcement agencies or other groups have their own public relations staff and agenda. If they are going to announce that they're arresting the criminal, you should have your own statement ready for the press.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.