Comparing the Gulf oil spill with a massive data breach
Few would argue that BP has been less than forthcoming with information related to the oil spill in the Gulf of Mexico.
The company has pinned the blame on the oil rig owner. Scientists have publicly disputed BP's projections of exactly how much oil is shooting from the underwater geyser each day. There have been repeated reports of reporters and photographers being blocked from visiting the crude-fouled beaches — some are even being threatened with arrest. Even the petroleum giant's CEO is doing his best "under embargo" impression.
BP's image is such an open target that a wryly social media enthusiast has created a fake Twitter account claiming to be the company's official public relations account. Check it out here. It's HI-LAR-IOUS.
One of my favorites: "The ocean looks just a bit slimmer today. Dressing it in black really did the trick! #bpcares"
The account has amassed some 60,000 followers (and growing), eons more than the real BP twitter account. Pretty telling of how ticked off people are at BP's response to what is now confirmed as the worst oil spill in U.S. history and one which may forever change the Gulf region's ecosystem.
But there is an information security connection here, because after all, a breach is a breach.
Let's pretend for a second that instead of tens of thousands of barrels of oil spewing in the gulf, it was tens of thousands of credit card numbers. Ears perking up? You see, public relations plays an important role into any major company incident, whether we are talking about a broken riser pipe buried deep beneath the Gulf of Mexico or a vulnerable web server.
This is what Steve Collins, the security sector lead at Text 100 Public Relations, had to say about the topic:
If you're still questioning the importance of effective breach communications, consider the reality of living in a 24-hour news cycle these days. Bad news travels fast, and with the emergence of social media, the chances of keeping a lid on such news are pretty slim. An employee's blog or tweet, or an overheard conversation at the grocery store, could let the cat out of the bag, unwittingly or not. And the more time that lapses while you're scrambling to determine how to communicate the breach, the greater the risk that news of your breach will be broken in terms you can't control, with serious implications for your brand and your ability to remain competitive.
In the case of BP, of course, it is pretty difficult to hide oil-drenched birds washing up onshore. But you get the idea. Transparency is the name of the game. Customers, plain and simple, will turn their backs on you if you let them down and fail to properly convey what happened. Client retention and brand reputation will suffer.
Some folks, like Bob Carr, the CEO of Heartland Payment Systems, which lost an estimated 130 million credit card records, gets this. In fact, as I was typing this post, a PR rep for Carr left me a message, asking to set aside some time to meet with Carr when he visits New York City in a couple of weeks. Yes, Carr wants to promote the company's new encryption solution that it will begin marketing to the merchants for whom it processes transactions. But, knowing Carr, I bet you he won't shy away from answering questions about the breach either.
Oil spills are going to happen. Data breaches are going to happen. But you don't have to suffer any worse than you already are.
Act quickly. Be contrite. Greet the media with open arms. Tell it like it is. Americans are more forgiving than most people give them credit for.
Keep this in mind, if for no other reason than it would stink to be the butt of a viral Twitter joke.