It was a text book crisis. It happened on a typical Wednesday morning in a rural office in Ontario. Making it even more “typical”, members of the Crisis Management Team were out of town on business. The company was experiencing a sophisticated phishing attack and a member of their Human Resources team was exchanging emails with someone she thought she knew. Instead, she was sharing company information and personally identifiable information of all 235 employees with a hacker.
As a consulting member of their Crisis Management Team, I joined the call and walked them through the Crisis Management Plan. We initiated their Privacy Breach Response Plan, documented what had occurred and began putting our action plan together. The first action was for IT to confirm that the hacker no longer had access to their network. We also agreed that we needed to notify the employees of the breach.
The Communications Lead was out of the office sick, so I drafted a note to all employees, notifying them of the breach. (The company also offered free credit monitoring for a year, so we let them know how to sign up for that). I sent the note to the Crisis Management Team for review and approval before sending it out. This is standard protocol and should be included in your process. The President of the company made a few, minor modifications to the text and we all agreed with the messaging. The note that went to employees explained that the company was the victim of a sophisticated email phishing scheme and as a result, an employee shared a spreadsheet with someone who was posing as a company executive. The employee who shared the file was not named, in fact the entire Crisis Management Team reviewed the message specifically focused on whether or not employees would be able to figure out who accidentally leaked the information. The message to staff DID, however, identify the type of personal information that was divulged.
What happened next was truly astonishing. In her book “Crisis Ready”, Melissa Agnes says, “emotions run high during a crisis.” She adds, “What people feel, beats what they think.” I can attest to that just by watching how people responded to this incident.
The person who was duped by the phishing attack became highly emotional. She was indignant, saying that she felt like the Crisis Management Team ‘threw her under the bus’ with their email to the employees. She felt that everyone would know (based on the type of information divulged) that she was the one that exposed the data. She expected employees to be angry at her for her mistake and she took it out on the executive team. Over the next day, she threatened legal action and said that she was going to resign from the company. She had meetings with senior leaders that included yelling, crying and accusations that the notification to employees specifically called her out as the culprit of the breach.
At this point, the Crisis Management Team reconvened and re-read our notification email. We all agreed that, by all reasonable standards, nothing stated in the emailed identified (or even hinted at) who was responsible for the breach. But there’s the difference. The Crisis Management Team was looking at the statement logically, while the person responsible for the exposed data was looking at it emotionally. That’s why it’s important that understand the perspective of the audience you are communicating with – and read your messages through their eyes.
The company’s Privacy Officer was also deeply concerned – not only with the exposure of personal information of her 234 co-workers, but also at the outbursts, friction and tension from the individual involved in the breach – and the threats to company as a result.
The situation weighed so heavily on the Privacy Officer that her emotions also overtook logic and reasoning. This happened as a result: At the height of the tension, on her way home from work she decided to stop and pick up a few things from the local grocery store. While she was there she needed to ‘use the bathroom’ – so she parked her shopping cart and found the facilities. But it was only after, while she was washing her hands that she noticed the urinals in the mirror behind her. You guessed it – the stress got to her and she actually went into the wrong restroom. She was in the men’s room. (And yes – I got her permission to include this story).
Think about how stress impacts your performance. If you’re worried about a family member or a serious personal situation at home – you can easily become pre-occupied with that problem and lose focus. Well the same thing happens during a data breach. Here’s a recap of what we observed during this single incident:
Embarrassment. The person responsible for the breach ‘knows’ that this was her fault, and that she shouldn’t have fallen for the phishing email’s lure. By her own account, she felt “stupid”. By the way, other people also received the phishing emails and handled them appropriately, which didn’t help the victim’s state of mind. The truth is, she isn’t stupid for making this mistake – but it IS a teachable moment for all of us.
Guilt. She also knows that as a result of her mistake, personally identifiable information for all 234 of her colleagues has now been exposed to the hacker group. She knows that there could be serious consequences to this mistake – including identity theft or impact to the credit of her friends and co-workers.
Anger. She lashed out when the Crisis Management Team did what it was compelled to do – notify employees. She felt like she was being singled out (even though she wasn’t). She was angry that she was taken advantage of, angry that someone violated a trusted relationship and made her a victim.
Fear. Employees started coming to us with other items that frankly had nothing to do with this data breach. There was a questionable charge on someone’s credit card and someone had a clerical error in a bank statement. Any unusual activity was emotionally viewed as being associated with this incident as employees were fearful of a worst-case scenario.
Let me share with you a couple of things that didn’t happen:
Blame. Eventually some employees became aware of who accidentally released their personal information. (Not because of the email notification, but ironically because of the victim’s reaction). But they didn’t blame her or look poorly on her. They saw her as the victim of a crime – and didn’t view her with the same shaming lens that she saw herself through.
Lawsuits / resignation. The victim didn’t leave the company or sue the Crisis Management Team. Calmer heads prevailed and life continued.
It’s important to understand that emotions will run wild during a crisis. Your team will be under stress and your affected stakeholders will want answers. Consider the perspective of your audience when communicating with those affected and understand that emotions outrank logic during stressful times.