Step 9 of the Belgian Privacy Commission’s guide to getting started with GDPR compliance concerns detecting, analyzing, and dealing with the fall-out of a data breach. The recent recall and re-issue of Estonia’s smartcard IDs brought home to me that public relations (PR) planning is an essential part of breach preparation, not to protect the public’s privacy (PR can’t do anything to remedy a breach), but to mitigate the reputational damage to the firm.
On November 3rd of this year the government of Estonia suspended use of that country’s smart-card IDs due to a recently-discovered security flaw (link), specifically an encryption vulnerability. There were no reported incidents; the measure was described by a local security consultant as an “abundance of caution”. Nevertheless, such a wide-ranging update might make Estonian citizens wonder how many more unexpected surprises will turn up as time goes on, in other words, Estonia suffered reputational damage.
On November 14th Estonia reported that it had arrested a Russian national who “had been intent on hacking into [Estonia’s] computer network” (link link) and that this person, a 20-year-old, works for the Russian spy agency FSB. The timing of this story was either a lucky coincidence or a brilliant PR strategy.
Estonia made no claim that the arrested Russian had anything to do with the encryption problem (he almost certainly did not, as the problem was caused by faulty encryption libraries from a single manufacturer). Estonia provided no theory as to how one so young had attained such a level of expertise, nor what penetration advantage he derived by being physically present in Estonia. The mere juxtaposition of the two stories, so close in time, accomplished several PR objectives:
- it creates the illusion among many that the ID-card problem was somehow caused by Russia (a kind of cognitive bias known as the post hoc fallacy (link))
- it replaces the ID problem as the top story in the local news, reducing the attention that the ID problem receives
- it reinforces the government’s claims that it is being vigilant in guarding its citizens’ security against its historical enemy
Perhaps the timing of the release of the hacker story was coincidence, but it is easy to see behind it the hand of a brilliant PR person, a modern Don Draper (link).
Whether lucky coincidence or clever strategy, this story provides a textbook case on dealing effectively with the PR fallout of an incident. An embarrassing situation was mitigated by nudging the breach story out of the public eye and giving the impression that the country is vigilant in guarding its citizens against determined and sneaky foes.
Back to Step 9, breach preparation, the point of all this is to emphasize the value of a PR plan as part of preparing for a breach. If your organization is large enough to have a PR department, or a firm on retainer, then you are large enough to need PR contingency plans for the most-likely scenarios.