Hepler Broom, LLC

Arby’s: We Have the Breach! Cautionary Observations on Reputation Management and Cyber Breach Disclosures

May 9, 2017

Fast food restaurant chain Arby’s Restaurant Group Inc. is known for its great hot roast beef sandwiches and catchy slogan: “We have the Meats!” Arby’s is now communicating a different message; it may be the latest victim of a significant cyber breach.

How are we to digest this? We have grown somewhat immune to the now frequent website notices or press releases that announce that although no one is known to have been harmed, yet another potential information security incident has taken place at yet another company that may have once again exposed customer information.

So what can a company in Arby’s position do? If they choose to say nothing, there is risk of appearing indifferent and losing some control over how they are perceived. If they do say something, there is a different set of risks. The Arby’s situation invites discussion of how effective these communications are in protecting a company’s reputation as it figures out what is really going on and what more specific legal disclosures may be required. And what do you look for in a reputation management advisor to help you work through the situation?

Arby’s recent website report reveals that it is investigating its payment card systems about a possible breach, but it disclosed few details. The privately held, Atlanta-based company’s statement noted only that it was “recently provided with information that prompted it to launch an investigation of its payment card systems” and that it “immediately notified law enforcement and enlisted expert leading security guards.”

The company also said that while the investigation is ongoing, it “quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.” Further, it reminded guests that “it is always advisable to closely monitor their payment card account statements” and to report unauthorized activity.

Arby’s messaging can be broken down into three parts: (1) the problem in general terms, (2) swift responsive actions taken to assuage readers’/consumers’ concerns, and (3) deflection of responsibility. Some of the language is confusing and some is puzzling (what are “expert leading security guards” in this context?). But it is important to note that while Arby’s has chosen to say something, what they have said is not devised to be legally adequate to constitute notice to consumers under a variety of state breach notification laws.

So what exactly did Arby’s accomplish by this release? They deserve high marks for wanting to say something to warn their customers, even if they required them to go to their website to read about it or pick up on a back-page news article quoting the limited statement. Like many other consumer or retail businesses, they have no readily available customer list for a strategic blast message, so arguably they did what they could. It is important to be transparent—to get out in front of this kind of bad news and to signal to customers, the media, and regulators that they are aware of the incident and actively working on it.

Preliminary disclosures require guidance from internal or external public relations and communications professionals to develop an effective release. Arby’s accomplished something positive by avoiding the appearance that they swept a cyber security incident into the virtual trash bin. They also understand the dynamic that customers may assume their credit card merchant bank will be on top of the situation, particularly if they honored the transaction. So the “steak” holder may not really care but may be glad that Arby’s let them know to keep an eye out for a problem.

No two situations are exactly alike, but it is also important to understand that both words and timing matter.

There is a natural temptation to say something quickly, to get out ahead of the story. Take a deep breath. Unnecessary or premature disclosures can cause more harm than good. The drivers on disclosure are obviously different for publicly held and privately held companies depending on materiality assessments. If you wait too long, you risk infuriating your customers by standing silent and appearing to hope the circumstances will never come to light. But think hard if you are considering a public statement before you have sufficient information about the existence and scope of an information security problem. Understand that your next steps and necessary follow-on communications will depend on how the breach investigation unfolds.

If you are confronted with a cyber breach that threatens compromise of consumers’ personal identifying information (PII), personal health information (PHI), or credit card information and you decide to say something, you need to evaluate what you say carefully and know whether that preliminary disclosure needs to be followed by a formal notice compliant with legal requirements of breach notification statutes. There are 47 different breach notification statutes among the 50 states. You may be compelled to offer credit monitoring or repair services. You may become embroiled in insurance coverage disputes for response costs or interpretation of exclusions or sub-limits. Arby’s did not compromise these considerations in their website statement.

Companies should remember, however, that well-intentioned but ambiguous statements about what happened or what cyber defenses were in place may invite industry association liability (i.e., payment card industry fines), consumer class actions, shareholder class actions, or derivative claims, It may also draw the attention of the Federal Trade Commission (FTC). The FTC has pursued unfair and deceptive practices claims under the Federal Trade Commission Act against a number of companies based on the companies’  failures to institute reasonable cyber protection controls or deliver on privacy statements. Remember: your words can used against you.

The best course is to consult with both trusted legal and reputation management professionals who can help you manage the complex issues on whether to disclose a cyber problem, and, if so, how to formulate an effective but protective message to minimize collateral reputational harm. While any statement like the one issued by Arby’s is subject to hindsight evaluation, likely no two reputation management professionals (or lawyers) would agree on the most effective communication, and there is no perfect communication formula. Perhaps there is no absolute right and wrong way, but there are likely better and worse ways. Experienced, coordinated guidance makes for better judgment calls on both timing and content.

Who do you turn to for guidance on such communications? To evaluate PR/reputation management professionals, you should carefully assess:

  • The type of reputation management or PR firm. (Are they primarily marketing oriented, or do they have experience in crisis management communications?)
  • Their experience with cyber breach or security breakdown situations and examples of prior work products for clients dealing with communications about the breaches or breakdowns.
  • Their responsiveness to emergent situations and ability to react quickly.
  • Their willingness to be part of a coordinated breach response plan or policy.
  • Their listening skills and ability to incorporate legal considerations into communications.
  • Any relevant industry-sector experience.

Couple your reputation management advisor with legal counsel who is experienced in cyber security matters and disclosure obligations and who has the capacity to work seamlessly with communications professionals.