Skip to content

Free Case: Technical Compliance ≠ Trust Guarantee

  • by
Impact sur verre brisé illustrant la rupture de confiance lors d'une crise cyber à l'ère de l'intelligence artificielle

Free fixed the breach. Paid the astronomical €42M fine. And yet, trust hasn’t returned. The reputational crisis continues.

Why? Because a crisis plays out as much in perception as it does in facts. The CNIL* fine closes the regulatory file. It doesn’t close the trust crisis.

The CNIL’s decision notes more than 2,500 complaints filed by affected individuals — significant enough to trigger additional legal or administrative actions.

Consumer associations have publicly reminded subscribers of available remedies, opening the prospect of individual or collective actions. The trust relationship is damaged enough for customers to seek compensation.

*CNIL = France’s data protection authority, equivalent to the UK’s ICO

Reminder of the Facts in the Free Case

The events are clear: a vulnerability, a cyberattack, an investigation, a massive fine.

The mistake made by Free: failing to properly prepare its crisis management and communication.

  • In terms of compliance (ensuring that personal data was protected)
  • In terms of messages sent to customers (lack of clarity)

The result: public perception was disastrous.

This pattern isn’t unique to France. TalkTalk (2015) lost 95,000 customers despite technical fixes. British Airways (2018) faced lasting reputational damage despite a swift technical response. Virgin Media (2020) saw 900,000 customer records exposed for 10 months — undetected. And as recently as 2024, Three Mobile UK experienced a major breach affecting millions.

Fortunately, this cyberattack was only technical. There was no manipulation of perception via AI.

This point, recently highlighted in a LinkedIn post in French featured by LinkedIn News-FR, becomes particularly critical in the AI era, where the perception of reality can be altered, accelerated, or weaponized at scale.

The Crisis Doesn’t Arise from the Incident, Its Management does

Hurrying to repair systems is urgent and vital. But neglecting crisis management is fatal.

The cyberattack is the trigger. But the crisis doesn’t arise from the incident itself. It arises from how that incident is understood, explained, and handled.

It is a common mistake to focus the crisis on the technical incident.

Cybersecurity solves technical problems and protects data, but it cannot protect against panic among stakeholders, legal compliance issues, media pressure, or loss of customer confidence.

The Trust Crisis plays on Four Key Factors

✅Credibility → Is the organisation perceived as responsible or defensive?

Consistence → Are the messages consistent or contradictory?

Clarity → Is the explanation understandable or buried in jargon?

✅Responsiveness → Who speaks first and sets the tone?

Compliance Reassures… But Doesn’t Protect

Free has fallen short on compliance, which is a legal minimum. But it is not a guarantee of trust.

Being compliant ≠ being credible.

Compliance protects against the regulator. It doesn’t protect reputation, perception, or relationships with customers or partners.

When the Sanction Arrives, the Battle for Perception Is Already Lost

Because the sanction always comes after:

  • information circulation
  • opinion formation
  • narrative crystallization

At this stage, reality is already interpreted, commented on, sometimes weaponised. This is where the real crisis plays out: in the ability — or inability — to govern perceived reality.

AI Mechanically Amplifies Trust Crises

In the AI era, these trust crises will tend to intensify because:

  • Information circulates faster than decisions.
  • Interpretations multiply.
  • Generated, distorted, or weaponized content blurs reference points.

In this context, crisis management hinges on the ability to govern the perception of reality before it fragments.

The veil lifted by this case

The Free case is neither isolated nor exceptional.

It highlights a persistent structural fragility: : limiting crisis management to technical and compliance issues. In other words, simply ensuring that technical and legal requirements are met.

The trust of its employees and customers is fragile, and their loyalty is volatile. But losing it has repercussions that last for years.

This reality is all the more true in the age of AI, where information circulates faster than established facts, becomes fragmented, and can be weaponised. In the AI era, the crisis hinges on an organisation’s ability to quickly offer:

  • a credible framework for understanding, before reality disperses into competing narratives
  • landmarks of reliability and authenticity to hold on to
  • a reference figure to turn to in case of doubt

This capacity has a name: truth governance to be prepared absolutely, in view of crisis situations.

Consequently, considering that protection against cyberattacks — and managing their consequences — falls exclusively to technical teams or the CISO is a serious mistake. Because a trust crisis engages strategy, communication, legal, customer relations, and ultimately, the collective responsibility of the entire executive committee.

Finally, preparing for crisis management involves looking for weak signals. In many cases, warning signs already exist — message inconsistencies, decision-making delays, internal tensions

What to Remember in the AI Era

Fixing an incident is essential.
Managing the crisis well is critical.
But governing reality becomes strategic.

The real question is no longer just about correcting what went wrong, and ensuring that the company complies with the law, but about whether an organisation is capable of preserving trust when reality itself is challenged or contested.

Is your organisation truly ready?

Our approach of CyberAI Crisis Communication
Our Truth Governance
Tags:

You cannot copy content of this page

Verified by MonsterInsights