Hill Dickinson partner Magnus Boyd explains why companies should care about negative or inaccurate stories about them and why protecting data is so essential

If the ‘business of business is business’ why do organisations need to care about their reputations?

Society needs to acknowledge the value of reputation and recognise its equal status to freedom of expression. Reputation is integral to the value of a business. It also forms the basis of many decisions in society that are fundamental to its well-being, such as: whom to employ or work for, whom to promote, whom to do business with or to vote for. Once besmirched by an unfounded allegation in the media or online, a reputation can be irreparably damaged, at which point, society as well as the individual is the loser. As British Law Lord Lord Nicholls once said: “Protection of reputation is conducive to the public good”. As a society, we need businesses to care about and protect their reputations because of the value to us, as individuals, in those corporate reputations. If the reputation of a business is damaged, the assets, goodwill and a value of that organisation are not the only elements that are affected. The ripples can include the loss of jobs, broken supply chains, dropping share prices and underperforming pension funds.

What are the main threats to business reputation?

Every business has its own unique reputational risk profile made up of a jigsaw of operational, organisational and regulatory pieces. These pieces and the perceptions of the various stakeholders determine from where the main threats to business reputation come. Protecting the reputation of a business begins with an appreciation that each organisation has its own exclusive areas of vulnerability.Against this backdrop, growing access to the Internet, the rise of citizen journalists, digital whistleblowers and anti-corporate campaigners together with long-term changes in publishing and the media have provided an environment in which corporate reputations are under greater attack and those reputations are more vulnerable to damage than ever before. 

What steps should companies take when a negative story about them has broken out?

By the time a negative story has been broadcast or published, the company will have few options but to explore a regulatory complaint or litigation in order to mitigate the damage and vindicate its reputation. Anticipation and strategic forward planning are the only useful and cost-effective approaches to reputation protection for companies to manage issues so as to prevent them from becoming crises. Reputation audits are an invaluable tool by which an organisation can take stock of what events or processes are coming up from one quarter to the next and to anticipate how and in what way they might attract negative media attention. The audit process can then provide a structure to help every level in the organisation work together to prevent and manage those events and processes so that any media attention they might attract is fair, informed and accurate. Some crises are impossible to predict. However, experience has shown that companies that engage in the process of reputation audits are better able to manage the crises that they could not predict as well as those that they had anticipated.

Why should a company stop inaccurate or false information about it on the Internet?

In a 1919 judgment, the Associate Justice of the US Supreme Court, Oliver Wendell Holmes stated that: ‘‘The best test of truth is the power of the thought to get itself accepted in the competition of the market”. Almost a century later, the Internet has given rise to an acceptance of the ‘marketplace of ideas’ metaphor – namely that, ultimately, what emerges from debate is the truth - and companies therefore need not worry about the level of inaccurate or false information that is accessible on the Internet as the truth will come out. I disagree. Comment is free, but facts are sacred, as British journalist, publisher and politician CP Scott observed, and it is the role of the courts to protect those facts from market forces. Too often, the solution offered to dealing with inaccurate or false information is to add further information into the debate. However, this may only perpetuate the churn of information and obfuscate the facts. For instance, if a non-governmental organisation or newspaper publishes a serious allegation about a company and the latter, in reply, puts out a press release denying the allegation, the public is likely to interpret that denial cynically and not trust it. All too quickly the public becomes confused and does not know what is right and who to believe. Companies owe a duty to the public to be proactive in stopping inaccurate or false information being spread over the Internet. It is not in the public interest for the public to be misled.

How can a company stop inaccurate or false information about it on the Internet?

All the major social networking platforms have procedures in place for the removal of false and defamatory material and, in extreme cases, organisations have recourse to the courts. Following the European Court of Justice’s decision against Google in May, it is now possible to get false, inaccurate and out-of-date material about individuals that is not in the public interest removed from search engines. Usually, the issues surrounding the removal of inaccurate or false information about a company are more prosaic and concern the identity or jurisdiction of the offending author. Increasingly, however, the courts will grant orders to enable the investigation and disclosure of information necessary to flush out the wrongdoers. Ultimately, prevention is better than cure (and cheaper) and companies that undertake regular reputation audits are better at anticipating and neutralising threats before they appear online.

Do you think that protecting data is becoming as important for businesses as protecting other more tangible assets?

As companies collect ever more data the opportunities to exploit that data for commercial use are also increasing. As a result, data is fast becoming the single most valuable business asset to protect. Data is also becoming the single most important asset to protect owing to the reputational damage that can ensue in the event of data theft or accidental loss. It is the personal nature of much of the data that organisations store about individuals that makes the general public so sensitive to the threat. A security breach can amount to a breach of trust in the organisation and that is why it is such an acute risk to reputation.

Should businesses be worried about class actions following major data breaches?

Organisations in sectors that routinely deal with the sensitive personal data of significant numbers of people will have a great deal to be afraid of in respect of class actions in the event of serious data breaches. The EU Data Protection Regulation, which is likely to come into force in about two years’ time, provides scope for individuals to sue organisations for data protection breaches, rather than complain to the Information Commissioner or other regulators. Organisations have a two-year opportunity that they must seize to ensure they comply with their existing data protection obligations as a foundation for ensuring that they are able to be regulation-compliant. Under the terms of the draft regulation, organisations will be required to explain their use of personal data in detail to clients and to seek prior consent to that use. It will be possible to collect only the minimum amount of data required for a specific purpose and organisations will have to be transparent about what data they are collecting and why. They will have to train and appoint or hire data protection officers to ensure that the regulation is properly applied at every level. Data security breaches will have to be notified to the Information Commissioner and potentially to each individual whose data has been lost or stolen - with all the attendant adverse publicity that such notification is bound to attract.

This article first appeared in Strategic Risk magazine.