Crisis Management Assistance Crisis Management Presented by Jack Cloonan Crisis Management Crisis Management Crisis Management Failing to Plan is Planning to Fail IRONSHORE CRISIS MANAGEMENT SEMINAR: Facility Explosion BREAKING NEWS PANEL DISCUSSION Stratton Horres – Panel Moderator Christopher Kelly – Property: The Minute After Dawn Krigstin – How to Handle An Environmental Crisis Peter Duda – Managing Communication Property: The Minute After Christopher Kelly, Vice President Property Claims Ironshore PROPERTY: THE MINUTE AFTER Who What Where Why When How? © 2013 Wilson Elser. All rights reserved. WHO: •Do You Call? –Employees - Facilities, Site Manager, Other sites, Accounting(?) Contractors - Demolition/Clean up, Construction, Engineer –Broker, Insurer, Adjuster –Local Authorities - FD, PD, Bldg. Dept. •Is Project Lead? –Risk Manager, Plant Manager, Facilities Dept., Other? •Does the Claim Belong To? –The Insured © 2013 Wilson Elser. All rights reserved. WHAT: • Is Damaged? – Building, Premises, Property of Others, Equipment, Stock, Operations • Is Our Goal? – Repair/Replace? “As Was” or Modified? – Abandon/Exit? • Resources are Needed? – To keep business operating – To satisfy authorities – For Insurance Claim – inventory, asset register, workflows, leases/contracts, involved parties. © 2013 Wilson Elser. All rights reserved. WHERE: • Are the resources? • Can/Should Operations Resume? © 2013 Wilson Elser. All rights reserved. WHY: • To Satisfy Business Need? • To Satisfy Authorities? Local, State, Federal • To Satisfy Community? • To Satisfy Insurance Company(ies)? © 2013 Wilson Elser. All rights reserved. WHEN: • Sequence of Actions? • Five Minutes or More – ago. © 2013 Wilson Elser. All rights reserved. HOW: • Planning – Pre Loss: Business Continuity Plan (BCP) – Post Loss: Exercise/Adapt Plan • Listening – To In-House Personnel, To Authorities, To Adjustment Team, To Your Gut • Communication – Cliché, but Key © 2013 Wilson Elser. All rights reserved. ADJUSTMENT PROCESS • Insurer Adjustment Team – Adjuster • Accountant • Salvor • Engineer • Building Consultant • Attorneys – Subrogation – Coverage © 2013 Wilson Elser. All rights reserved. ADJUSTMENT PROCESS • Reduce Loss – (NOT Coverage Oriented) – Salvor – Subrogation Counsel/Cause & Origin • Evaluate Claim – Adjuster – Accountant – Engineer – Building consultant – Coverage Counsel • Evaluate Coverage – Adjuster – Coverage Counsel © 2013 Wilson Elser. All rights reserved. ADJUSTMENT TEAM VALUE ADD • Assist Insured In Making Informed Decisions • May Have Worthwhile Suggestions • May Be Able to Refer Resources • May Be Able to Interface With Authorities/Contractors • Prompt Issuance of Payments (Partial/Final) © 2013 Wilson Elser. All rights reserved. HARD FACTS • It is the Insured’s Property, Business, Claim • Adjustment Team Can Be Resource, But Does Not “Authorize” • Not All Business Decisions are Insured © 2013 Wilson Elser. All rights reserved. KEYS TO SUCESS • PRE-LOSS – Have A Plan – Identify Resources – Relationships • POST LOSS – Open Communication • Documentation • Verbal • Relationships © 2013 Wilson Elser. All rights reserved. OPPORTUNITIES • Potential Positive Impacts – Employees – Customers – Community – Operations © 2013 Wilson Elser. All rights reserved. How to Handle An Environmental Crises Dawn Krigstin, Vice President Ironshore Environmental Claims ENVIRONMENTAL CLAIMS SOURCES OF ENVIRONMENTAL CLAIMS The discovery of persistent contaminants in soil or groundwater; The accidental or sudden release of contaminants that persist in soil, groundwater, the atmosphere or structures; or An individual’s long-term or acute exposure to contaminants that may leave lasting injuries. CHARACTERISTICS OF AN ENVIRONMENTAL CLAIM Influence of regulatory agencies on claim resolution Uncertainty as to cause of damage or injury Disputable effectiveness of any particular cleanup strategy Immediate response/action is usually required WHICH COMPANIES HAVE ENVIRONMENTAL EXPOSURES? ENVIRONMENTAL CLAIMS – All claims are fact specific and fact intensive – Environmental claims are complicated – Many parties are usually involved - Regulatory agencies - Claimants - Insureds - Brokers - Multiple potentially responsible parties with various contributions to the loss - Multiple carriers (based on policy years, coverages) – To complicate matters, it is often difficult to determine the cause of an environmental claim as well as the effectiveness of a particular cleanup strategy. IDENTIFY PLAYERS • Which carriers? Professional liability Property Environmental Tank Policies Which Parties? - Maintenance issue? - Suppliers (defective product?) - Contact Information? Broker Carrier Crisis hotlines Insured Claims Managers MANAGING EXPECTATIONS TEAM = Insured & Adjuster & Broker • What is the process? • What is expected? • Contractors? Consultants? Expectations and strategies can be established early • Identify additional information needed and determine who is best to provide • Makes process more personable, sets tone • Dilutes contentiousness or distrust • Allows for informal discussion about application of policy terms • Broker can help better explain policy and process to the insured • Broker can help better explain policy and process to the insured • Team can focus on resolution, fair compensation or satisfaction of the applicable regulatory requirements CONSIDERATIONS (AKA: DAMAGE CONTROL) • • • • • • • • Attorneys Statements Pictures Accident Recreationists “Boots-on-Ground” Adjusters Environmental Consultants Air Quality Monitoring/Tracking Public Relations NEED PR? YES! PREPARE!!! • Pre-crisis planning – Press releases with fill-in-the-blanks – Meet your claims team – Build relationships with local fire stations/attorneys/etc. – Have contract in place with ER companies • Terms and rates can be addressed when cooler heads prevail. – Know who to call – Manage internal processes – Ask question to help understand the post-claim stages, timelines and strategies Managing Communication is Critical Peter K. Duda - Communications Specialist Executive Vice President and co-head of the global crisis and issues practice Weber Shandwick managing communication is critical Crisis requires prompt, incremental response With social media, transparency and speed are even more paramount Pre-define (or quickly define) roles and responsibilities of employees and advisors local issues can quickly become national news West Fertilizer Company ExplosionFreedom Industries Chemical Spill Charleston, West Virginia (2014) West, Texas (2013) ExxonMobil Pegasus Pipeline Release Mayflower, Arkansas (2013) • • • • • • ConEd Gas Explosion New York, New York (2014) Catastrophic business impact Loss of enterprise value Government investigations Civil and criminal litigation Media attention Long-term community impact, distrust COMMUNICATIONS RESPONSE: How Not to Do It COMMUNICATIONS RESPONSE: Respond Rapidly When the Crisis Strikes • Prompt, incremental response – – – • Rapid response through digital and traditional media – – • • Activate necessary dark sites/pages; remove content when necessary/appropriate Pre-and-post SEO, including optimizing keyword search, promoted tweets and ads Close coordination with authorities Round-the-clock monitoring – – • Rapid engagement of a pre-prepared crisis communications plan Instant activation of 24/7 crisis management war room with team members from key practices: operations, management, legal, communications, sales and influencer experts • Pre-define (or quickly define) roles and responsibilities of employees and advisors Establish secure flow of information, leak-proof security protocols Clear mechanisms for notifications and alerts Ongoing media coverage reports, social media impact analysis Consistent messaging across all documents © 2013 Wilson Elser. All rights reserved. RECOVERY: Restoring the Company’s Reputation • Post-crisis analysis to help determine best practices moving forward • Ongoing social media monitoring to maintain an ear to the ground for potential issue spotting • Use social media to continue outreach with key opinion leaders • Keep internal community informed – let them know how they helped drive the process • Communicate the post-crisis corporate story and plan for operational success and brand recovery by leverage strong media relations © 2013 Wilson Elser. All rights reserved. Kristin McMahon James Gannon Rhonda Barnat Frank Milliken Ricki E. Roer - Moderator IRONSHORE CRISIS MANAGEMENT SEMINAR: Employer Liability for Workplace Violence Employee Misconduct • Foradori v. Harris, 523 F.3d 477, 481 -482 (5th. Cir. 2008) Michael Foradori, a customer at a restaurant, was confronted by Al Cannon, an older teenage restaurant employee, who was off-duty but dressed in his restaurant uniform. Cannon was angry because he thought Foradori had been hitting on his girlfriend. The manager on duty witnessed the beginning of the altercation and ordered both to go outside, but did nothing else to diffuse the escalating confrontation. In the restaurant parking lot, Cannon continued to verbally challenge Foradori. At this point, another restaurant employee, Garious Harris, a football player over six feet tall and weighing nearly 250 pounds, sprinted toward Foradori from behind and struck him with his fist in the back of his neck. Harris was running at full speed when he delivered the blow, described as a “hard punch” with a “balled-up fist.” Foradori was knocked unconscious, causing him to fall head first to the concrete surface below. Foradori suffered a broken neck and severed spine and was diagnosed with permanent quadriplegia. Question: What liability does the Restaurant have over the off-duty conduct of its employees? Was the manager’s instruction to take the altercation outside sufficient to sever liability? What premise liability does the restaurant have? Answer: The jury found that the restaurant operator's negligent failures to regulate, train, supervise, and control its off-duty employees on its premises were proximate causes of Foradori’s injuries. The jury returned a verdict in favor of Foradori, awarding him approximately $10 million for past, present, and future physical pain and suffering, mental anguish, and the loss of enjoyment in life. This figure consisted of $1,581,884.41 for reasonable and necessary medical expenses already incurred; $8 million for the present value of the reasonable and necessary medical expenses reasonably likely to be incurred in the future; and $1,300,000 for the present value of loss of future earnings or earning capacity resulting from his disability. Employee Misconduct • Doe v. Saint Francis Hosp. and Medical Center 309 Conn. 146-150, 934 (Conn.Super. July 16, 2013 ) Beginning in 1964, and continuing for decades, George E. Reardon, a physician, purported to conduct a “child growth study” on the premises of his employer, Saint Francis Hospital and Medical Center (“the Hospital”). The Hospital had hired Dr. Reardon in 1964 as a physician specializing in endocrinology. Immediately upon assuming that position, Dr. Reardon began conducting a child growth study out of his office on the Hospital's fourth floor. The study was approved by the Hospital's research committee and was funded by the Saint Francis Hospital Association. The ostensible purpose of the study was to measure the growth rates of normal children to assist in the treatment of children with abnormally low rates of growth. In fact, Dr. Reardon was a pedophile who used the so-called study as a ruse to sexually exploit hundreds of unsuspecting children. Tim Doe was one of those children. Doe sues the Hospital alleging: 1) that the Hospital had negligently failed to supervise Dr. Reardon's activities in connection with the study, and 2) that the Hospital had breached the special duty of care that it owes to children in its custody. Question: What liability does the Hospital have over Dr. Reardon’s conduct? Answer: Following a trial, the jury found for the plaintiff on both claims and awarded plaintiff $2,750,000. Employee Misconduct • Ten Broeck Dupont, Inc. v. Brooks, 283 S.W.3d 705 (Ky. 2009) Ten Broeck is a psychiatric hospital located in Louisville, Kentucky where Artemecia Brooks was voluntarily admitted as an in-patient. Prior to Brooks’ admission to Ten Broeck, a local police detective received information from an employee that a sexual predator was employed at the facility. This information was received during an investigation of a patient-on-patient rape. The police officer informed Ten Broeck's Human Resources Director that he had received a tip that an employee had lured and sexually attacked patients, and, the police detective provided the Human Resources Director with a description of the individual. The Human Resources Director did not believe that any employees fit the description and did not conduct an investigation. During Brooks’ hospitalization, an orderly named Feotis Gilbert forced Brooks to have sexual intercourse. The police detective’s description of the sexual predator matched many of Gilbert’s characteristics. Question: What liability does the Hospital have over Gilbert’s conduct? What duty did Ten Broeck have: 1) to protect its patients from criminal misconduct of employees, and 2) to investigate the tip Human Resources received from the police detective? Answer: Following a trial, the jury found for the plaintiff and awarded $161,000 for pain and suffering, $130,000 for future pain and suffering, and $1,800,000 in punitive damages based on Ten Broeck’s failure to undertake any investigation. Premise Liability • McBeth v TNS Mills, Inc., 458 SE2d 52 (SC App 1995) Alice McBeth worked the evening shift at TNS Mills. At the end of her shift, McBeth walked to her car in the fenced-in company parking lot and encountered Juanita McCravy. McCravy was not a TNS Mills employee and her presence in the employee parking lot was unauthorized. McCravy was the girlfriend of another TNS Mills employee, Craig Miller; McCravy was prohibited by TNS Mills from being anywhere on the premises due to prior incidents of domestic disturbances between McCravy and Mills which had occurred at the worksite. McCravy confronted McBeth about McBeth's relationship with Miller and, when McBeth admitted that the two had a romantic relationship, McCravy hit and stabbed her. McBeth died of her wounds. Question: Did TNS Mills owe McBeth a duty to provide adequate security measures in the company parking lot from third party criminal acts? Did TNS Mills have a duty to protect McBeth from McCravy specifically, due to the company’s knowledge of her prior aggressive behavior towards TNS Mills employees? Answer: The court held that there is a duty to anticipate and guard others from the criminal acts of third parties if a special relationship such as employer-employee exists between the parties. An employer can be held liable if it knows or should have known that the criminal acts of third parties could cause harm to employees, and it failed to reasonably protect employees. Premise Liability • Aidroos v. Vance Uniformed Protection Services, Inc. 386 Ill.App.3d 167 (Ill.App. 1 Dist. 2008) Willie Baker was terminated for theft by his former employer, Navistar International Transportation Corp. Pursuant to company policy, Baker was no longer allowed to be on company premises because he was a terminated employee. Prior to his termination, Baker had never exhibited any violent proclivities. At about 9:45 a.m. one morning, Baker parked in Navistar's visitors' parking lot and entered an unlocked door of a gate guardhouse station, carrying weapons concealed in a golf bag. Although the buildings were supposed to be locked, Baker was able to open the door and enter one of the buildings. Inside, Baker randomly shot building occupants, killing four and wounding others before killing himself. Question: What was Navistar’s duty in securing the premises against third party criminal acts? Can the families of the employee victims sue Navistar based on a theory of negligent maintenance of the workplace? Answer: The Court granted summary judgment in favor of the employer because the Court found that there was no duty to protect employees from criminal acts of third parties. A critical element of the Court’s analysis focused on whether the criminal acts of third parties are “foreseeable,” and in this case, where the former employee had no history of violence, there was no duty to protect employees from Baker’s unanticipated criminal activity. The Court noted that there is a duty to protect employees, when an employee is in imminent danger and this is known to the employer. Co-Worker Violence • Medlen v. Estate of Meyers, 476 F.Supp.2d 797, 799 -809 (N.D.Ohio 2007) One day, a disgruntled employee, Myles Myers, entered the DaimlerChrysler Toledo North Assembly Plant with a concealed shotgun, which he used to kill and wound several coworkers in a mass shooting. Meyers had worked at DaimlerChrysler for twenty-two years. His disciplinary record included written warnings for attendance violations and discipline for not ringing in his own time card. That record showed no instances of violence in the workplace. The record did indicate, however, that Meyers had had temperamental “outbursts” and on occasion been “out of control.” The record also indicated that prior to the shootings Meyers stated he was “going to get” the coworkers that he later shot. Question: What liability does the Plant have over Meyer’s conduct? What duty did the Plant have: 1) to protect its employees from criminal misconduct of other employees, and 2) to protect the employees that Meyers specifically threatened? Does Workers’ Compensation preclude recovery by the injured employees (or their estates)? Answer: In Ohio, as in the majority of states, an employer who negligently injures an employee in the workplace cannot be sued by the employee for such negligence where Workers’ Compensation insurance provides recovery. The statute immunizes employers from negligence claims arising from workplace injuries where the injured employee receives workers compensation benefits. However, an injured employee can circumvent the exclusivity of Workers’ Compensation by establishing that the injury did not occur within the scope of employment and that 1) the employer knew about the dangerous “process, procedure, instrumentality or condition” in the workplace; 2) the employer knew and was “substantially certain” that, if subjected to this danger in the workplace, the employee would be harmed; and 3) with the aforesaid knowledge and certainty, the employer required the employee to remain in the dangerous situation. In this case, although the Court found that the Plant knew Meyers had a history of verbal outbursts, there were insufficient indications that Meyers would act violently toward his co-workers so as to impute the requisite knowledge about the risk of harm he posed to his coworkers. Based on this finding, the victims’ estates were precluded from pursuing negligence claims against the Plant, and were restricted to proceeding under Workers’ Compensation insurance for recovery. Co-Worker Violence • Colas v. Watermain, 295 A.D.2d 775, 776 -777 (3d. Dept. 2002) Alisha Bermudez was employed as a secretary and had been romantically involved with a coworker, Robert Giles. One day Giles, who was not scheduled to work that day, appeared at the employer's workplace and spoke briefly with Bermudez before holding her hostage and, ultimately, killing her. Bermudez’s mother subsequently filed an amended claim for workers' compensation death benefits on behalf of Bermudez’s three minor children. Question: Can Bermudez’s Estate successfully claim workers’ compensation benefits? If Workers' Compensation benefits are not available, can the Estate seek damages from the Employer on alternate theories of liability? Answer: In general, workers' compensation benefits apply to workplace injuries that arise out of the course of employment. Because Bermudez’s death resulted from a personal relationship conducted exclusively outside of work with an individual who coincidentally was a coworker, her estate was denied death benefits under the Workers' Compensation laws because her death did not arise out of the course of her employment. When Workers' Compensation does not apply, employees may seek to establish liability under “common law” theories of negligence. Crisis Management Assistance Terrorism Presented by Jack Cloonan The Scenario Terrorists attack a shopping mall Two groups of terrorists storm shopping centre. Shoppers flee in panic or hide in shops and store rooms Hundreds of shoppers and workers escape, but others are left trapped Security forces arrive 30 minutes later. A fire fight starts Fighters are cornered in shopping centre supermarket overnight Army and Special forces launch assault. 15 Terrorists and between 10 and 15 hostages Batasang Pambansa Bombing Remembrance Day Bombing LO AIRPORT MASSACRE Riyah Compound bombing 2007 Ankara Bombing 2002 Bali Bombings 2007 Tourist Attack Yemen 2003 Red Square Bombing April 2005 Cairo Attack 2013 Woolwich attack 2004 Al Khobar Massacre 1995 Paris Metro Bombing Oklahoma city bombing Muna Hotel Attack 2008 Danish embassy Bombing 1998 OMAGH BOMBING 1991 Vic Bombing Spain 1973 PAN AM FLIGHT 110 1993 World Trade Centre Attack Impact of Terrorism • • • • • Damage to Property Loss of Life Business Interruption Duty of Care Law Suits Case Studies of Civil Liability of the Land Owner and Security Provider for a Mass Shooting Incident Aurora • Traynom –v.- Cinemark USA Inc., 2013 U.S. Dist. LEXIS 54981 (USDC-Col. 2013) • Colorado Premise Security Act pre-empts Common Law Tort principals • The injured and deceased plaintiffs are found to be “Invitees” as defined by the statute • Landowner must use reasonable care to protect patrons against only those dangers of which the landowner actually knew or which the landowner should have known Aurora (Continued) • Defendants Motion to Dismiss on the Pleadings granted, but the Judge says it’s a “close call” • Factors in favor of Dismissal on the Pleadings: – the unforseeablibity of the danger of a person such as James Holmes committing a mass killing • Factors against Dismissal on the Pleadings: – – – – – Some prior incidents of violence at the subject location The back door used by Holmes was propped open and went undetected Security did not stop the film or turn on the lights Delays cited in calling the police The size of the exits and the need for people to leave quickly in an emergency Columbine • Castaldo –v.-Stone 192 F.Supp.2d 1124 (USDC-Col. 2001) • Suit brought against sheriff, school district, and individual teachers and supervisors • Claims of fault were not about the subject event • Claims of fault concerned multiple previous events, which plaintiffs allege put sheriff and schools on notice Columbine (Continued) • The Court Grants Motion on Pleadings to Dismiss • Factors against Dismissal: – School and sheriffs knew of many prior acts of vandalism and threats by Harris and Klebold – School aware of violent videos and written homework submission produced by shooter – School aware of specific violent threats to school by shooters on web postings – ‘in-Loco-Parentis” status of the school Columbine (Continued) • Factors in Favor of Dismissal: – Qualified governmental immunity – No deliberate indifference – No proximate causation under Colorado Law despite awareness by the school defendants of warning signs of potential violent behavior – Harris and Klebold were the sole proximate cause Premise Where Mass Violence is Foreseeable • • • • • Seron v. Malagaliati 1998 Mass. Sup. LEXIS 46 Abortion clinic in Massachusetts Shooter kills one and injures another Injured security guard sues land owner Motion for Summary Judgment denied – This is the type of facility where the potential for armed violence is foreseeable – Question of Fact as the to adequacy of security despite presence of an unarmed guard Contacts and Post Orders Key Issues to Avoid in Security Industry Contracts and Post Orders • • • • • “warranty of service” “third-party beneficiary status” “guarantor of safety” “crime prevention” “security consultant” No Warranty of Service • Land owners use market forces to attempt transfer liability to security providers • Cross claims in litigation typically include cross claims or third party claims against security service providers • Claims are framed in terms of a guaranteed result • NEVER WARRANTY A RESULT Third Party Beneficiaries • New York and Majority Rule is: – Third parties, such as tenants or patrons, cannot bring their own action against a security provider unless the contract expressly provides for such a benefit – Bernal v. Pinkerton’s Inc., 52 A.D.2d 760, 382 N.Y.S.2d 769 (1st Dept. 1976) Insurance and Risk Transfer • Landowners also use market forces to transfer risk to the security service provider • Majority and New York rule is that an entity can not be forced to indemnify another for that other entity’s sole negligence • This can be modified to the extent that the landowner requires to be named as an additional insured on the security service providers policy • Indemnity provisions must be unequivocal Data Privacy Risk April 09, 2014 Panelists Kurtis E. Suhs Vice President Ironshore, Professional Risk Kurtis.Suhs@Ironshore.com (404) 845-7549 Jane Devron Executive Vice President Reputation Partners, LLC Jane@ReputationPartners.com (312) 222-9886 Daniel Hecht, Assistant Vice President Ironshore, Claims Daniel.Hecht@Ironshore.com (646) 826-4869 Melissa K. Ventrone Attorney at Law Wilson Elser Moskowitz Edelman & Dicker, LLP Melissa.Ventrone@WilsonElser.com (312) 821-6105 Question If you could only do one thing in preparation for a breach, what would it be? Who are the victims? • 37%of breaches affected financial organizations (+) • 24%of breaches occurred in retail environments and restaurants (-) • 20%of network intrusions involved manufacturing, transportation, and utilities (+) • 20%of network intrusions hit information and professional services firms (+) • 38%of breaches impacted larger organizations (+) • 27different countries are represented – A plus (+) sign indicates either a 10% or greater increase from the previous year’s report – A minus (-) sign indicates a 10% or greater decrease from the previous year’s report Source: Verizon 2013 Data Breach Investigations Report Causes of Data Breaches Advance Persistent Threats • Internet Malware Infections • Drive by downloads • Email attachments • File sharing • Pirated software • Spear Phishing • DNS & Routing Mods • Physical Malware Infections • Infected USB memory sticks • Infected CD’s and DVD’s • Infected memory cards • Infected applications • Backdoored IT equipment Causes of Data Breaches • Advance Persistent Threats – External Exploitation • Professional Hacking • Mass vulnerability exploits • Co-location Host Exploitation • Cloud Provider Host Exploitation • Supply Chain Partner Exploitation • Rogue Wi-Fi penetration • Human Error Enterprise PrivaProtector 9.0 Coverage Third Party Coverage • Side A Excess D&O Liability Coverage • Network Security Liability Coverage • Privacy Liability Coverage • Privacy Breach Expenses Coverage • Regulatory Proceeding Coverage • Internet Media Liability Coverage First Party Coverage • Digital Asset Loss Coverage • Business Interruption Loss and Dependent Business Interruption Income Loss Coverage • Network Extortion Threat and Reward Payments Coverage Highly Protected Information (HPI) Enhancement Benefits • On-Call Chief Security Officer with 1 hour free telephone consultation • Data Breach Coach with 1 hour free telephone consultation • Privacy Breach Expenses in addition to Policy Aggregate • Notification for up to 10 million affected customers • Access to Ironshore e-Risk Hub loss portal https://www.eriskhub.com/ironshore.php • Ability to qualify for the risk mitigation credit and achieve HPI designation to reduce premium and/or Privacy Breach Response SIR Reputation: What’s at Stake? The Target Data Breach Is Becoming A Nightmare– 1/17/14 2 million Facebook, Gmail and Twitter passwords stolen in massive hack – 12/4/13 Advocate Health Care sued following massive data breach – 9/6/13 Facebook admits year-long data breach exposed 6 million users – 6/21/13 Florida Hospital facing class-action suit for data Michaels Stores Sued After Reporting Possible Data breaches – 4/16/13 Breach -1/27/14 Data Breach: Mitigating Reputational Risk Response (after a breach): • Urgency – Don’t sit on it; Notify thoughtfully but quickly • Don’t Under-React -- Resist the desire to soften the blow or underestimate the scope of the breach; Will come back to bite you • Transparency – Acknowledge what you know, how you expect people to be impacted and specifically how you plan to remedy • Empathy – Prepare for a range of reactions (anger, fear, frustration); Assuage fears and offer support (credit monitoring and resolution services, etc.) Data Breach: Mitigating Reputational Risk Planning (before a breach): • Develop a Plan – Messages/materials drafted, spokespeople identified and trained, dark site developed, roles/responsibilities defined • Invest in Reputation – Build trust and a bank of goodwill Questions