What would happen if your emails were disclosed for all to see? For most of us, it would be awkward at the very least, but for a public figure or corporation, disclosure of private communications amounts to a full-blown public relations crisis.
Hillary Clinton’s campaign is currently dealing with a regular trickle of private emails made public through hacked correspondence made available by Wikileaks. So far, the disclosures have been more embarrassing than anything else, but the daily drip is a reminder of the risks of assuming that private communications will remain private. Another recent example – the 2014 hack of the email system at Sony Pictures Entertainment – was a grim lesson to companies all over the world. It resulted in lawsuits against Sony, the disruption of countless relationships, and ultimately the resignation of CEO Amy Pascal.
The unauthorized disclosure of private information is particularly tricky in crisis management terms. Experts tend to divide negative events into two groups. In the first group are bad things inflicted on an organization by external forces or criminal actors, like a weather disaster or a product tampering. These crises are typically a bit easier to deal with than some others because the organization is seen as a victim. In the second group are errors committed by or within the organization, like systemic sexual harassment or financial improprieties, which are tougher to handle because the organization is usually at fault.
What makes an email hack such a tricky crisis to manage through traditional PR techniques is that it should engender sympathy for the hacked individual or company, yet that natural response can be overwhelmed by sensational or salacious content. The organization’s response becomes even more important. Most choose to defend themselves by emphasizing the illegal nature of a typical hack, but it’s a very difficult position to maintain through several news cycles featuring hacked information.
There’s almost no way to come out unscathed if a leak or hack results in the disclosure of newsworthy information. In theory, the best response is to own up to the information, if accurate, and to apologize for harm done. But in the real world, such admissions may make the hacked party vulnerable to litigation or further reputation harm.
The best privacy crisis is the one that doesn’t happen, of course. Here’s what every organization should do to minimize the chances of private information becoming public.
Have a digital media policy. This is a no-brainer, but it needs to be read and understood by every employee and vendor/partner of any organization that’s at risk — and that means everyone. Make sure the policy is a living document that covers email and other digital content and digital archiving.
Convey a “commonsense” digital communications policy to employees. Today you simply cannot email, text or post on social media anything that shouldn’t be made public. In the “old days” (meaning the early days of email) we’d say don’t put anything in an email you wouldn’t want to be seen in the New York Times. It still holds.
Make sure clients and partners know your digital media policy. Many of the purported Clinton campaign emails are notes with advice, complaints, or criticism directed at John Podesta. For anyone working on a high-profile campaign or team, it’s impossible to prevent all those incoming emails, but I’d bet that campaign staff are discouraging substantive discussions via email and asking partners to use more secure communications.
Screen vendors and contractors. You’re only as secure as your weakest link, as shown by the data security scandals brought on by trusted contractors like Edward Snowden or, more recently, Harold Martin. Most of us don’t handle data as sensitive as a federal agency like the NSA, but we can institute clear vendor security protocols and enforceable nondisclosure agreements for freelancers and contractors.
Use secure apps for sensitive communications. Secure messaging apps like Signal are getting popular for a reason. Everyone realizes the risk of a hack. For any team that traffics regularly in confidential or sensitive information, or simply as a matter of policy, they should consider communicating outside normal email through encrypted messaging apps and other secure tools.
Don’t tempt fate…or hackers. Most people know the story of LifeLock, the ID protection company whose CEO advertised his social security number as a challenge to would-be identity thieves. Of course, his identity was stolen and used to make an illegal $500 loan. The infamous Ashley Madison breach may have happened in part because hackers were outraged by the company’s privacy and security claims, which they saw as dishonest.
Invest in the best digital security you can afford. Cybersecurity, of course, is a first line of defense, but it does not guarantee you won’t be hacked. That’s why employee behavior needs to adapt to the security risks we all run every day.