A company falls victim to a hacker ….
A well-known bricks-and-mortar retailer decides to conquer the online world and set up a webshop.
Thanks to the strength of its brands and reputation, the webshop is quickly a success. Unfortunately, one day, the company falls victim to a hacker who steals its customer data including passwords and credit card information. The company is not aware of the breach until it starts receiving calls from worried customers who have read about it.
As the company was not aware of the breach and thus did not conduct an investigation, it decides not to release a communication on the subject and to brush off its concerned customers. Unsurprisingly, this approach results in an avalanche of negative coverage on social media.
Shortly afterwards, the company receives a letter from the Privacy Commission requesting more information about the breach and an explanation of why it was not notified.
…and fails to comply with its GDPR obligations in terms of security and data breach notification.
In this case, the hot issue is of course poor protection of customers' personal data. This is especially problematic when there is no communication about potential problems, and customers themselves have to request information from the seller.
The General Data Protection Regulation recognizes this problem and provides for a number of obligations in this regard.
The main obligation provided for by the GDPR relevant to this case is an active duty for companies to take the necessary measures to protect the data of their customers. In addition, they are obliged to report personal data leaks and breaches to the data protection authority. In certain cases, the data subjects must also be informed.
It is extremely important to have a good data breach notification procedure, according to Heidi Waem, Privacy, Data Protection & Compliance Senior Associate. The sanctions for failure to notify a breach can be up to EUR 10 million or 2% of the company's worldwide turnover. This demonstrates yet again the importance attached to the proper protection of personal data. In this case, the company has clearly failed in both areas and there is thus a risk of severe sanctions.
For more information, please see Part 12 of our GDPR Series on the security of personal data and data breaches.
If something goes wrong: communicate, communicate, communicate!
In terms of communication, much can be said about the company's attitude. Not only did it fail to fulfil its statutory notification duty but, from a business point of view, the company's communication with customers leaves much to be desired. The company was not aware of the problem and afterwards took a very passive approach and brushed off its customers. According to Kristien Vermoesen (Managing Partner FINN), it is not surprising that customers decided to vent their frustration on social media, which led to significant reputational damage.
It is incredibly important to deal with these types of issues before they escalate into a crisis and thus to have a management plan ready. The plan should determine who will communicate to customers and how, for instance. It is also best to prepare in advance a standard notification for the privacy commission so that actions can be taken quickly to identify problems. In light of recent ransomware attacks taking entire networks hostage, it is of course also a good idea to store communication strategy documents offline.
If a company, despite adequate preparation and transparent customer communication, still falls prey to a social media circus, the only possible option is damage control. By being the first to communicate about the crisis, the company can fill the information vacuum that arises afterwards. This can be done for example by creating a (neutral) hashtag which people can use to share their experiences. In this way, it's possible to prevent external parties from hijacking and putting a negative spin on the situation. Finally, it's always a good idea to be proactive and to respond swiftly and consistently to customer posts and questions.