Retailers Are Finding That Data Vulnerability Can Undo Years of Brand Equity

“Big companies spend millions, billions of dollars building their brands over 20, 30, 40, 50, 100 years,” says Eric Chiu, president and co-founder of cloud security automation firm HyTrust. “If something bad happens, like the breach at Target, all that can be gone in one fell swoop.”

First and foremost, companies should take all possible steps to safeguard sensitive data. An ounce of prevention (translation: millions of dollars in technology upgrades and IT hires) can outweigh a pound of cure (many more millions of dollars and months of PR, social and paid-content spinning as a brand’s image threatens to go down the tubes).

Once breached, the familiar tenets of crisis communications—rapid response, transparency, opening multiple lines of dialogue with the public, press, shareholders and government—apply. However, there are some key differences. The issues surrounding cyber crimes can be complex and confusing, the protocols for public responses are ill-defined, and the news cycle can be long lasting. All this makes image management and restoration tricky. Most often, experts say, breached companies—even those that prepared beforehand—find themselves improvising as they go along, forced to respond as each new revelation unfolds.

Part of the problem is that the public has grown irritable with breaches and views corporate responses as just so much self-serving spin. A recent HyTrust survey found that almost 73 percent of 2,000 respondents believe organizations do not care about keeping their private data secure. And the public trust is likely to be rattled even further, as cyber crimes become even more common.

According to Risk Based Security and the Open Security Foundation, data-loss incidents in 2013 tripled year over year to 2,164, exposing more than 800 million records of one kind or another. More than 70 percent of these incidents involved outside attackers, with 25 percent of losses caused by insiders, usually through accidents or human error. (The business sector accounted for 53 percent of all incidents and nearly 75 percent of the records exposed.)

Given this trend and the fact that hackers have grown more brazen and sophisticated, companies of all types and sizes should view breaches “as an inevitability, and take measures before the crisis,” says Renée Richardson Gosline, assistant marketing professor at MIT’s Sloan School of Management. This holds especially true for big retailers, increasingly targeted for their rich stores of customer information gleaned from billions of annual transactions.

Retailers = Targets

Crooks really hit the bull’s-eye with Target. At the height of the 2013 holiday season, hackers accessed payment-card data and personal information (names, addresses, emails and phone numbers) of 110 million customers. Target said costs associated with the cyber invasion totaled $61 million in its fiscal fourth quarter, contributing to a 46 percent decline in net income to $520 million (81 cents per share) versus $961 million ($1.47 per share) the previous year.

Target is not alone. The credit cards of at least 350,000 Neiman Marcus customers were breached from July though October of last year. (It initially said 1.1 million cards might have been compromised.) The luxury retailer estimates legal fees and other costs related to the theft amount to $4.1 million so far. (It swung to a fiscal Q2 loss of $68 million versus a profit of $40 million the prior year.)

There’s more. Michaels Stores in January reported possible fraudulent activity on payment cards used at some of its stores, though the level of theft, if any, was unclear. In February, Sears said it was investigating whether its systems had been breached (none’s been detected so far). A few weeks ago, Sally Beauty Supply disclosed a cyber attack that it later said affected fewer than 25,000 customers.(Reps from those companies either declined to make executives available for comment or did not respond to Adweek’s queries.)

The damage that can be caused by these snafus cannot be overstated. Some experts say data breaches even have as much potential for harming brands as the BP and Exxon Valdez oil spills or the deadly Tylenol capsule poisoning. “Breaches hit pocketbooks, reputations and credit ratings—this is deep pain” that can linger in consumers’ minds, says Allan Steinmetz, CEO at Inward Strategic Consulting. He advises breached companies “to bend over backwards and give consumers confidence that the problem has been solved.”

During its Tylenol travails, Johnson & Johnson did just that. As part of an aggressive brand-saving push, the company, readers will surely recall, yanked bottles off shelves and warned consumers not to use any they had on hand. The company exchanged capsules for solid pills and ultimately reissued the product in safer packaging. It remains as perhaps the textbook example of crisis management in corporate history.

But the Tylenol situation is not entirely analogous to those companies now facing cyber-theft meltdowns. “The main problem with data breaches is that we don’t know how to solve the problem,” says risk communications expert Peter Sandman. “And companies are resisting some of the partial solutions that are readily available.”

Indeed, breached companies are often their own worst enemies, which makes staging a comeback (or preventing problems in the first place) that much harder. Says Sandman: “We can’t trust companies to prevent breaches; we can’t trust them to take all possible steps to try; we can’t even trust them to take some reasonable but expensive steps that have been adopted elsewhere but are still being extensively debated here.” 

Illustration: Noma Bar

Ounce of Prevention

Continue Reading