The risks and rewards of empathy in data breach communication

It is never easy to deliver bad news. Nor is it any easier in the context of a data breach where there are potentially significant legal implications at stake. The use of empathy in data breach communications may serve as a useful tool to achieve important reputational objectives in data breach communications without undermining the organization’s legal posture.

The Scenario

Picture this. An organization has just learned that its IT network has been compromised. An employee clicked on a link in a phishing email, and soon after, the entire system is encrypted. The culprit left a note claiming to have downloaded the organization’s entire human resources, payroll and accounting servers and is threatening to publish if a cryptocurrency payment is not deposited into a specified wallet within two days. To show the culprit is serious, a set of files containing social insurance numbers and bank account information belonging to large numbers of individuals is published to the culprit’s leak site.

After receiving advice from legal counsel, the organization has decided to notify those affected as soon as possible to allow them to protect themselves and otherwise to ensure that the organization complies with applicable legal requirements. The organization is understandably concerned that the breach notice is almost certain to cause panic, attract negative publicity and may set the foundation for claims of liability against the organization, including class actions.

The Individual’s Perspective

When developing a communications strategy that will minimize the potential for negative reputational blowback, it is important to start by identifying the primary concerns of affected individuals and then considering how the organization’s response can address those concerns. While all breaches are not created equal, these concerns often include a perceived betrayal of trust and a feeling of vulnerability over the potential misuse of their information.

Whether it is a patient sharing health information with their health-care provider, a customer sharing their credit card number with a retail business or a business sharing proprietary information with one of their business partners, they are placing trust in the recipient to protect their information from unauthorized access, theft and misuse. After an incident has occurred that compromises sensitive information, those affected are often quick to look to the person they deem responsible for answers and solutions. They want to know that the organization has taken the responsibility to protect their information seriously, and they want to know what they can do to protect themselves from harm.

The Organization’s Perspective

While it is necessary to consider the individual’s concerns for the purposes of managing reputational risks and because doing so likely aligns with the organization’s principles of transparency and accountability, it is equally important to weigh those considerations against the organization’s interest in minimizing the risk of costly and burdensome litigation and regulatory scrutiny that may be unwarranted. The organization’s concern in this regard is legitimate given that, in practice, breach communications are typically made before a thorough investigation can be completed and, as such, it is possible that the initial description of the incident and its potential effects may paint a more dire picture than is deserved.

From a legal perspective, if a data breach involves personal information, privacy laws may require the organization to disclose sensitive details about the incident to privacy regulators and affected individuals without delay, including, among other things, a description of what happened, the specific information involved and what the organization is doing about it. As such, data breach communications are sure to attract questions and concerns regarding how the organization’s data security practices measure up to its obligations under applicable laws, contracts, and other legal requirements that arise under the common law.

Use of Empathy to Manage Reputational and Legal Risks

Managing an organization’s reputational and legal interests may seem like walking a tight rope at times. From a legal perspective, an organization will want to develop communications that comply with regulatory notice obligations, but avoid making statements that admit fault for the underlying incident. These priorities can sometimes seem at odds with the organization’s reputational interests, which may seek to utilize post-breach communications to rebuild trust by demonstrating genuine concern for what has happened and a general sense of accountability.

Those who have been directly affected by a data breach will no doubt be looking for answers (what caused the breach and how much of their personal information was potentially compromised) but they may also be looking for a little understanding from the organization. Sincerity and empathy will go a long way towards addressing their concerns without necessarily exposing the organization to undue litigation risk. An organization can show empathy by demonstrating that it understands and recognizes the feelings of those affected by a breach and that it is taking necessary steps to manage the difficult situation with compassion. Appropriate messaging will differ depending on the context, but showing empathy could be as simple as indicating that because the organization values the legitimate privacy concerns of individuals, it is taking proactive steps to ensure that those who may be affected are protected even before completing a thorough investigation of the incident.

With the above said, use of empathy is not without its risks and communications should be carefully vetted by legal counsel and communication specialists to avoid unintended consequences. Those affected by an incident may regard expressions of empathy as insincere, as a tactic to deflect criticism or as an admission of wrongdoing by the organization, which may lead to further public relations challenges, regulatory scrutiny, and potentially encourage litigation. For example, affected individuals may construe an implicit expression of regret or remorse as implying that the incident could have been avoided with the exercise of more stringent diligence.

Importantly, showing empathy does not mean acknowledging overall responsibility for the underlying incident. Empathy is about demonstrating an understanding and acknowledgment of genuine feelings of affected individuals in connection with a breach and the potential concerns they may have without necessarily accepting blame or assuming liability.

Implement a Strategy That Works for the Circumstances

Not all data breaches are created equal, and a communications strategy that is suitable in one scenario may not be in another. Organizations that have experienced a breach should immediately consult with legal counsel to determine what legal obligations, if any, may apply, including any requirements to notify regulators, affected parties or the public and the required timelines for doing so.

If the decision is made to communicate about an incident, either because doing so is legally required or because an organization elects to do so voluntarily, legal counsel should consider whether the use of empathy can serve as a useful tool to manage the competing reputational and legal risks in the circumstances.

A Cautionary Note: The foregoing does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

Mitch Koczerginski is a Partner at McMillan LLP in Toronto.