By David Fuscus, CEO of Xenophon Strategies
“Year of the Retailer Breach” was how Verizon recently described 2013 in their annual Data Breach Report, saying that it “was a year of transition… to large scale attacks on payment card systems”. The report documented 1,367 confirmed data breaches, the largest and most infamous of which was the massive amount of customer information stolen from Target during the busy Christmas shopping season.
Target’s initial handling of the breach was so poor that the iconic bull’s-eye logo had rested squarely on their corporate forehead for months and the Board of Directors finally pulled the trigger and fired CEO Gregg Steinhafel and Chief Information Officer Beth Jacob. Target’s struggles and executive replacements can only lead one to speculate that their next financial results will be ugly.
Target’s initial communications response was particularly bad because they acted so slowly; media reports started on December 12, but the breach wasn’t publically acknowledged for seven days. Target finally instituted a comprehensive response program (including free credit reports) and a PR campaign to repair the damage, but it was too little, too late — the data breach steamroller was already in motion and crushing customer trust.
And it wasn’t just Target; Neiman Marcus stands out as another retailer who bungled public communications about a massive data breach. Rumblings of multi-breaches at Neiman’s first appeared in mid-December and a forensic firm discovered evidence of the breach on January 1st, but it wasn’t until January 10ththat they were forced to acknowledge the crisis after security blogger Brian Krebs broke the story and they didn’t officially announce the crisis until January 23rd. Their initial media communication efforts were pitiful, mainly an on-demand only statement for journalists. A key rule of crisis communications is to define yourself rather than be defined and Neiman-Marcus took few and inadequate actions to communicate on a broad level to the public and their customers.
Data breaches are the worst type of modern corporate crisis because they directly impact masses of individual customers on a financial and emotional level. When people are personally hurt or threatened, they can become powerful influencers when those stories are amplified across social networks; when millions are individually threatened, their reaction can severely damage an entire business, regardless of size.
So how could sophisticated, well-managed, companies like Target and Neiman-Marcus bungle their data breach communications so badly? It’s not like the basics of crisis communications are mystical: define rather than be defined, fast self-disclosure, respond directly to customers and undertake public facing actions to ensure it never happens again.
While the reasons for Target’s and Neiman-Marcus’s communications decisions are only known within the company, there are some likely candidates:
- Legal vs Communications. In a crisis, the first priority of competent communicators is to publically define the situation and exert some influence with the media and customers. The first priority of legal professionals is generally to put the company in the best possible position for litigation, especially when litigation will be massive. If a company hasn’t addressed the balance of brand damage vs. litigation before a crisis, it inevitably leads to delay as senior executives tend to defer to their legal teams.
- Speed vs Full Information. In any data breach, having a full understanding of what happened can take days, weeks or months. Target’s internal investigation and report on their breach still isn’t done five months after the event. Waiting for full or robust information can waste precious time and allow the story to break from another source. Arts and crafts giant Michael’s suffered a data breach shortly after Neiman’s and Target, but they announced a potential breach as soon as they discovered it, engaged with the media and opened a CEO-level dialogue with their customers. By jumping out ahead of the story, Michael’s was viewed as competently managing the crisis and working to protect their customers.
- Communications Infrastructure. When a crisis explodes, public attention is almost instantaneous and can be massive both in the news media and on social channels. The level of attention and potential ferocity is outside the experience of most business executives and, with no base of experience, ill-informed decisions can reign. Corporations need to plan for crisis communications, build infrastructure and have the proper outside resources on tap so that they can instantly ramp up and engage with both the media and their customers.
Public communications after a data breach needs to be comprehensive — a company needs to understand its ability to respond to the media and customers, whether it is through the press, social channels, call centers or stores. And the execution of fast, meaningful, communications depends on the advance identification of issues that can slow down a public response — be it lack of preparation, communications infrastructure or insufficient planning between a company’s communications, legal and technical functions.