A legal representative from one of the largest health insurance companies in the United States has claimed that it is “no longer if, but when” a company will face a hacking incident. Talking at an event hosted by the International Trademark Association (INTA) last week, Heather C Steinmeyer, managing associate general counsel at Anthem Inc, went on to reveal that responding to a cyber-breach effectively is the only way to ensure brand value is not significantly affected long term.
At INTA’s Digital World Conference in Brussels last week, there was much discussion of the changing technological landscape and how companies need to adapt. Indeed, the event’s keynote speaker was Jeremy White, product editor of Wired, who spoke about some of the incoming new products hitting the market – including WiFi-beaming drones, internet-connected appliances (including ‘smart toilets’) and a £3 smartphone. The consensus was that brands must stay aware of which new technologies will become mainstream – be it for potential commercial opportunities, new marketing platforms or in order to expand trademark registration classes to reflect new targets for infringers and counterfeiters.
However, the talk on new technology was not all outward looking – one session focused on the significant challenges of protecting internal data. While many businesses are using ‘big data’ to give consumers a better, more customised user experience, that leaves plenty of opportunities for nefarious activity from third-party hackers. In the Data Protection and Privacy session, Steinmeyer said that we have reached a point where “it is no longer ‘if’, but ‘when’ a company will experience a cyber attack – the real question is how severe it will be”.
Steinmeyer has intimate knowledge on just how traumatising it can be when a severe cyber-breach occurs. In early 2015, Anthem Inc experienced a medical data breach, wherein hackers broke into the company’s servers and stole over 37.5 million records containing personally identifiable information (including names, addresses, emails, medical IDs, social security numbers and employment/income information). She described it as an “advanced, persistent” attack from a “nation state attacker” – indicating that the hack was most probably used “for intelligence, not to sell”, adding: “In the time since, we’ve found no evidence that the data taken from us has ever been used fraudulently or put on sale on the black market – which says a lot about the purpose it was used for.”
Response to such an incident is, of course, critical. Steinmeyer said the FBI was contacted as soon as the breach was discovered and a contract with a security expert firm was signed within 48 hours (“credibility was the most important factor in quickly choosing a security partner,” she added). A public announcement about the breach was made a week later. “There are pros and cons of announcing a hack so quickly,” she noted. “When we went public on February 4, we had a detailed plan to make sure key stakeholders – including investors and customers – heard the information from us first, that was our only hope to mitigate the reputational damage (although finding a vendor that could print and send out 78 million notices was quite a challenge). However, we felt that the public notice was very important, and it had a strong effect on the relatively minor reputational impact that we experienced.”
She weighed up both sides of such an approach. The pros, she says, are that you gain credibility from being transparent, gain trust and have an ability to control the message. “We wanted it to be known that we were the victim – and ‘victim versus perpetrator’ is very different from a messaging standpoint,” she added. The cons, though, are that a company will not have access to all of the facts (“not even a tenth of the facts”), and are often reliant on law enforcement to get the facts once they are involved. “A public announcement soon after a breach is discovered naturally raises a series of questions that, as a company, you simply cannot answer – and you don’t even know when you can answer them, as that is dependent on the law enforcement investigation.”
In the nearly two years since the incident, the company has been hit with 120 lawsuits (most of which have been combined into one multi-district class action suit). And the hacking attempts continue too – Steinmeyer says the company “repels 65 billion breach attempts a year”. But from a brand value perspective, Anthem Inc appeared to have come out relatively unscathed, despite the breadth and intimate data of the cyber-breach. “We tested our brand throughout that time and, while there was a minor blip in the weeks following the announcement, it went back to pre-attack levels shortly afterwards,” she revealed. “Furthermore, we did not lose customers due to the attack.”
Fellow speaker Miriam Beezy, a partner at Baker & Hostetler, agreed that Anthem Inc’s quick response was probably the best strategy to enshrine brand value. In fact, she pointed to data from RAND Corporation’s recent Consumer Attitudes Toward Data Breach Notifications study, which suggests that ‘immediate notification’ and ‘taking measures to prevent future breach’ were the most effective responses to a cyber-breach. The least effective were simply ‘apologising’ and ‘donating money to organisations that promote cybersecurity’ – suggesting that token PR responses do not work when it comes to security and privacy crisis situations.
She also looked at data from Baker & Hostetler’s recent Data Security Incident Response Report which analysed over 300 data breach incidents with which the firm helped in 2015. While 31% of breaches were caused by hackers (as was experienced by Anthem Inc), 24% were caused by employee actions or mistakes. “Education awareness is key to minimise the risk of human error and reducing the chance of these incidents happening,” she said. “But when it happens, every company must have a plan in place to respond because, ultimately, the response to stakeholders after a data-breach can increase or decrease the value of your brand. It is clear from all of these studies that customers prefer to be informed earlier rather than later, and want to be kept up-to-date with the latest information. Tell the truth without spin, provide details, and be completely honest about exactly what happened, why, and what the company is doing so it doesn’t happen again.”