Today’s entry is based on one of the 20 case studies in my position paper, “Beyond the Bottom Line: 20 Ways to Reduce Reputational Risk.”
The premise of this threat is that hackers successfully gain access to confidential consumer information entrusted to your company.
Over the course of several weeks in December 2014, the health insurer Anthem learned of a cyberattack on its customer records. The database in question held records for as many as 80 million current and former policyholders.
The hack attack brought reminders of a similar problem encountered by Anthem in 2013. In that instance, the company was fined $1.7 million by federal officials for allowing unauthorized workers access to confidential records.
According to a web site developed for the company, “The information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information, including income data. We have no reason to believe credit card or banking information was compromised, nor is there evidence at this time that medical information such as claims, test results, or diagnostic codes, was targeted or obtained.”
Anthem acknowledged that its database was not encrypted. This drew criticism from cybersecurity experts who view this as Data Security 101, especially when sensitive records such as medical information are involved.
Anthem has little capital in its goodwill bank, given the previous breach and its reputation for less than stellar customer service.
Some ideas for organizations hit with a hack attack to consider:
- Be prepared to communicate fully and openly with customers affected by the hack. News accounts indicate that some Anthem customers received e-mail notification relatively soon after the discovery. Not all did, however (as this writer—then an Anthem policyholder—can attest).
- Plot your communications strategy in advance. For instance, it would have made sense here to bring on board a consultant skilled at message development.
- Know what you’re going to say before you say it. That’s where the position paper “Maximize Your Next Media Training: Best Practice Standards” comes into play.
What are you doing to prepare your organization for that nearly inevitable hack attack? How will you communicate to your public in the face of a crisis?