The hackers are coming. How will you respond?
What will you do when the hack hits your system?
Earlier this week the payment system of upscale hotel operator HEI was hacked, compromising credit card information of an “undisclosed number” of people. HEI, whose portfolio consists of Hyatt, Sheraton, Marriott, and Westin, isn’t the first to suffer a data breach. It joins the ranks of UCLA, Target, Home Depot, Ashley Madison, Sony, Neiman Marcus, and many others.
Instead of dwelling on the danger this poses to companies and consumers, let’s focus on how HEI handled the situation.
Similar to how Whole Foods handles recalls, HEI responded quickly by popping up a dedicated area of their website to answer consumers’ questions and reassure them.
The main page is brief and easy to read, with a quick intro and a table of contents telling where to find more information. Let’s break down the intro. Each sentence has a distinct purpose.
“Unfortunately, like many other organizations, we recently became aware that several of our properties may have been the victim of a security incident that could have affected the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties.”
This (really long) sentence accomplishes several things: Shows remorse; puts things in perspective by reminding you that hacking is now a common occurrence; explains what happened using conditional words like “may” and “could” to limit liability and fear.
“We take very seriously our responsibility to keep our customers’ information secure, and have mounted a thorough response to investigate and resolve this incident, bolster our data security, and support our customers.”
This affirms that HEI doesn’t take lightly a threat to consumers’ information and what they’re doing to fix it.
“We are pleased to report that the incident has now been contained and individuals can safely use payment cards at all of our properties.”
Starting off with “We are pleased” is a great way to signal the problem is over and you’re “safe” to return to normal activity.
“We are sorry for any concern or frustration that this incident may cause.”
Shows that HEI cares. Notice they again say “may” because they don’t want to suggest that all of their customers were affected or frustrated.
“Based on the findings of our investigation, we are providing the following information and resources for our customers:
A detailed Notice Letter that explains what happened, describes the actions we’ve taken, and provides information and resources to anyone who may have been affected.
A Frequently Asked Questions document, delivering additional information that we anticipate that our customers may want or need.
A List of Affected Properties, segmented by state and providing street addresses, for reference by our customers.
Access to a Toll-Free Call Center, with operators standing by to address customer questions and concerns about this incident. You can reach this call center by dialing 888-849-1113 between 9:00 a.m. and 9:00 p.m. Eastern time, Monday through Friday.”
This bundle of bullet points almost had me clapping. They’ve got all basic elements of a crisis packet.
The Notice Letter gives you more a detailed statement that spells out what occurred, what HEI’s doing, what you can do, and a number you can call if you’ve still got concerns.
The FAQ hopefully deters people from flooding phone banks with questions over and over.
The List of Affected Properties is probably the most-read document. It answers the immediate question, “Hacked? Does this affect me?!?!” HEI put this list in two places because they wanted to be certain nobody overlooked it (as panicked people tend to do.)
Finally, they provide a number for customers to call. This demonstrates they’re there to help.
“We take this matter and the security of personal information very seriously and we will continue to review and enhance our security measures to further secure our systems. Again, please accept our sincere regret for any concern or frustration that this incident may cause.”
In closing, they remind you that they take this seriously and regret possibly causing any “concern or frustration.” These two elements are engineered to be calming and reassuring.
For a deeper glimpse into our world, see our book on Amazon, A Lawyer’s Guide to Crisis PR: Protecting Your Clients In & From the Media.
If you don’t already subscribe, please sign up for our blog, Insights on High-Stakes PR.
You can reach Roger Gillott and Eden Gillott directly at 310-396-8696.
Gillott Communications is a Los Angeles-based public relations firm that specializes in high-stakes Crisis & Reputation Management with more than 50 years of expertise in strategic communications, corporate public relations, and working with the media.
Follow us on Instagram and LinkedIn where we share amazing tips on how to protect your reputation and mitigate damage during a crisis.
Hi Roger,
My son is a cyber security attorney in Washington with Alston and Bird. The little bit hew tells me is really horrifying..
Hope you’re well.
R
Hi Roger,
My son is a cyber security attorney in Washington with Alston and Bird. The little bit hew tells me is really horrifying..
Hope you’re well.
R
Great Information! Love to read your week messages! I’m forward this to several friends!
Great Information! Love to read your week messages! I’m forward this to several friends!