The moment of crisis – for better or worse, we’ve all been there. It’s dreadful, it’s mortifying and it can significantly impact the reputation of an individual or brand.
It’s a moment that no one ever wants to deal with. Yet, it’s in times of crisis when anyone – be it an individual, business or other organizational entity – truly proves their mettle to themselves, their colleagues and their stakeholders.
Strangely, a moment of crisis presents a unique opportunity to showcase the integrity of the affected individual or business. It positions you in a fight-or-flight type of crossroads. That’s why in these moments, it’s critical to address the crisis and any associated challenges head-on. Assume ownership and accountability where appropriate and emphasize the steps that are being taken to ensure the crisis will be resolved.
Recently, Capital One reported that a hacker gained access to personal information of more than 106 million individuals in the U.S. and Canada – a nightmare situation for a credit-card and bank-holding company. One of the largest data breaches in history, the breach occurred March 22 and 23, 2019, and the breached information included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. The hacker also managed to access an undisclosed number of names, addresses, credit scores and other private information. Credit card applications dating back to 2005 were also accessed. The New York attorney general is investigating whether Capital One is negligent in this case.
It’s distressing news and Capital One was besieged with a torrent of questions from customers and credit-card applicants. So how have they handled this crisis? Below, we run through a few of the Golden Rules of PR Crisis Management provided by the Forbes Agency Council and assess the Capital One announcement and ensuing aftermath.
Take Responsibility
Capital One was swift in releasing its statement and overview of the breach, announcing the news at the close of business day on Monday, July 29, or 12 days after learning the breach had occurred. Included in the overview was an apology from Capital One chairman and CEO Richard D. Fairbank:
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Fairbank. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Other parts of the announcement could’ve done a better job of assuming responsibility for the breach. One confounding statement drew online ridicule. This underscores the importance of carefully crafting appropriate messaging to deliver in crisis situations.
Be Proactive, Transparent and Accountable
Capital One did its part to get ahead of the story. Once it learned of the breach on July 17, Capital One says it closed the vulnerability. Two days later, the agency verified its information had been stolen and began working with federal law enforcement. The accused hacker, Paige A. Thompson, was arrested 10 days later, with Capital One releasing its statement following her arrest. The breach was publicly disclosed less than two weeks after Capital One was tipped that the incident had occurred, with Capital One detailing what happened, what the impact of the breach was, and what steps were being taken to address it.
As the New York Times reports, a similar-sized security breach that occurred with credit reporting agency Equifax – in which private information for 147 million people was exposed – was publicly disclosed six weeks after the agency learned it had taken place.
Prepare for Social Media Backlash
Oh, was there social media backlash – and in crisis situations, it must be expected.
In Capital One’s case, many customers were upset to learn of the breach via news outlets or social media and not from a personal email, and they vented these frustrations online. The New York attorney general took to social media to announce the investigation into whether Capital One is negligent in this breach.
To their credit, Capital One kept its breach announcement pinned as a social media post on its Facebook, Instagram and Twitter pages in the days following the occurrence. Capital One has also been communicative and responsive to commenter questions about the breach on its Facebook page.
Be Prepared
As any PR professional can and will attest, having effective protocol in place for crisis situations is imperative and will ultimately determine if your organization will sink or swim in the aftermath of a crisis. Your organization’s protocol should serve as a type of support and provide guidance for navigating the storm of a crisis. It will help you prepare an appropriate response and effectively communicate with stakeholders and media.
The Capital One breach is being reported as one of the largest ever, and while the company’s response may not have been perfect, it was swift, honest and upfront. An effective protocol had to be in place.
The company was also gifted a few chance circumstances. In some ways, Capital One was fortunate in how this breach occurred, as the hacker was broadcasting the hack on a public GitHub page and via a Slack chat thread. Doing so led to the tip of what had transpired and saved Capital One precious time to address the incident. Having an effective plan in place only helps an organization capitalize on such opportunities.
No one wants to prepare for a crisis – there’s a reason why such instances are often described as “unthinkable.” That being said, preparing in advance for how you’ll handle a crisis situation before it occurs will save you an extra headache and give you one less thing to worry about should such a situation arise. So be prepared – you’ll thank yourself later.