Massive data breaches have become an expected holiday season event. This week, a BuzzFeed contributor listed the 10 biggest “hacks” of 2014 (eBay, the USPS, etc.), and the bad publicity stemming from these security failures can be especially damaging during the year’s biggest shopping period.
Retailers have different approaches in defending their reputations after these breaches. Target, for example, sent its CEO to CBS to call the trend “an industry issue” while its CMO displayed its social media “war room” on CNN. Home Depot blamed Microsoft Windows, and other retailers have pointed fingers at credit card companies themselves for failing on the security front.
The question, for retailers and the PR firms/internal teams telling their stories to the public is: what’s the most effective way to balance transparency regarding data security with the need to protect one’s reputation among a skeptical public?
Five industry veterans give us their takes after the jump.
Sandra Fathi, president and founder of Affect Strategies, which recently published a guide to maintaining a brand’s standing in the wake of a hack:
“Everyday we are hearing about a new data breach — from companies large and small. It’s not a question of ‘if’ it is going to happen to your organization, it is a questions of ‘when’ and ‘how’ will you respond.
Companies need to have a plan in place, as part of their crisis communications program, or independently, that considers what will be communicated to customers and the public, how it will be communicated and what will be done to remedy the situation. The resolution is typically part technical (to put technical safeguards in place to prevent another breach) and procedural (to create policies and operating procedures) as well as managerial (to ensure that policies are enforced). However, the long-term recovery and the ongoing reputation of a firm typically hinges on the communications strategy. Customers can be very forgiving if they feel an organization is honest, transparent and accepts accountability for a mistake.”
Gini Dietrich, founder and CEO of Arment Dietrich and author of Spin Sucks:
“Last year, right before the holidays, Target was hit with a data breach. Before the breach, their “BuzzScore,” as developed by YouGov, was 26 points. By the very next day, their popularity dropped 35 points to -9. Just three days later, it was still dropping, and bottomed out at -19. Today, though, nearly a year later — and after fumbling several times, including with the resignation of their CEO — their popularity is back.Here’s why:
- They have taken steps to be certain it doesn’t happen again. Of course, they can’t totally prevent it from happening again (the 60 Minutes special this past weekend shows how savvy these hackers are), but they are putting more resources behind the security of their customer’s information, and they’re very transparent about that.
- They monitor their reputation equity and have worked hard in the past year to build their BuzzScore to above where it was before the breach.
- They’ve moved on and exceeded expectations. Today they’re in the news for the designers they’re signing, #AlexFromTarget, and more moves that align with their brand.”
Peter Himler, PR vet and founder/president of Flatiron Communications:
“Make no mistake about it: consumer data breaches can bring even the most esteemed retail brands to their knees. Just consider what befell Target and Home Depot in the aftermath of their massive data breaches.
What I haven’t seen or heard much about are the precautionary steps other prominent retailers have taken — before such breaches occur. It’s encouraging that Whole Foods, Staples, Macy’s and others now accept Apple Pay, with its fingerprint ID verification, but I’d like to see more retailers embrace this and other advanced encryption technologies. Once they do, they should pre-emptively communicate their commitment to current and prospective customers.”
Erik Deutsch, principal at Excel PR and president of PRSA LA:
“As with any crisis, the general rule is transparency and taking responsibility. That said, there has been an effort by retailers to pass blame on to the credit card industry, claiming that security measures here in the U.S. lag other countries. This may indeed be true, but it’s not a message consumers want to hear from the stores they entrust with their credit card information.
Instead, retailers should focus on demonstrating how they’re investing on their own to protect their number-one asset – customers. Everyone understands the world is full of bad guys, so there’s no need for retailers to spin or pass the blame. It sounds cliché, but the best PR is to do the right thing, and the right thing now is for retailers to do all they can to invest in prevention and help affected consumers…and then communicate those efforts with a profound lack of arrogance.”
Stan Steinreich, president and CEO of Steinreich Communications:
“The data breach issue is unfortunately a new business risk reality for all companies. As with any crisis management issue, being quick to respond and forthright in your explanation and then getting back to business as usual is the right communications approach. If we look at the Target conundrum, for example, they were very transparent about what occurred a year or so ago, notified their customers and the public, made changes to their platform — and then got back to work doing what they do best: retailing! Their response enabled them to hit record sales this year around Black Friday, a real testament to the strength of their brand and how they managed this crisis from a communications standpoint.
It is important to remember that a company will take a few blows in the ring of public opinion. However, coming clean with a statement on what happened, how it is being repaired and then getting back to good business practice will right the ship.”
Do we agree? Is Target the model to emulate — and is new technology the best way to prevent future breaches?