Posted: March 24, 2014
This response is categorized as:    link to Crisis Communication index  link to Outrage Management index
Hover here for
Article SummaryDavid Gianatasio of Adweek emailed me in mid-February 2014 about an article he was writing on “how data breaches and security concerns might impact brands such as Target” (which had announced a huge data breach two months earlier) and “how companies can handle the fallout.” In the weeks that followed, Dave sent me more specific questions. My answers stressed the importance of addressing the concerns of affected stakeholders as opposed to the general public; and of focusing on negative reputation as opposed to positive reputation. The reputational impact of a data breach, I argued, depends mostly on two factors: how competently a company was protecting customer data before the breach, and how empathically it responded after the breach. Very little in my answers is unique to data breaches. Similar advice can be found, for example, in “After the Disaster: Communicating with the Public” (http://www.psandman.com/articles/Schrimpf.htm), my response to a different journalist’s questions about an April 17, 2013 explosion at a fertilizer facility in West, Texas. Dave ended up focusing more on the specifics of the Target breach than on what companies should do about breaches, but he did find room in the last half of his March 23 article for several snippets from my answers.

Data Breaches:
Managing Reputational Impact

(a March 4, 2014 email responding to questions from David Gianatasio of Adweek,
with two March 16 follow-up emails interpolated)
David Gianatasio’s March 23, 2014 article drew from this email.
number 1
How damaging are data breaches to big brands?
number 2
Is the damage mainly short-term (bad headlines; perhaps a down quarter, like Target just had) … or are there long-haul ramifications brands need to worry about.

I don’t know what the evidence says about how much long-term reputational damage data breaches do. I would guess that as data breaches get more common (as I’m assuming they will), people will get more used to them.

Some people are already used to them. The first time you get a letter or email from some organization you do business with, telling you that some of your personal information might have been compromised, you freak out a little. This is called an “adjustment reaction,” a temporary over-reaction to a risk you’re not used to. Adjustment reactions are an unavoidable stage in the journey toward taking any new risk in stride. The third or fourth time you get a letter or email warning of yet another data breach, you remember that nothing very awful happened to you the other times. So you shrug philosophically and hope it will be no big deal this time either – maybe at worst just a couple of fraudulent credit card purchases you’ll have to refuse to pay.

Of course if you wind up a victim of serious identity theft because of such a data breach, your days of shrugging philosophically about the problem will be over. But people get used to living with a risk that hasn’t yet turned into a catastrophe for them or anyone close to them. Soon – all too soon, in fact – we revert from over-reacting to under-reacting … and we’re back to using 1–2–3–4–5 as a password and giving up personal information in response to somebody’s phishing expedition.

Obviously if people can get used to being told their personal information might have been stolen, they can certainly get used to learning that some organization they have nothing to do with has suffered a data breach. Already only the big breaches are newsworthy. Soon even they may be short squibs nobody reads.

In the meantime, I’d assume the reputational cost of any individual data breach depends chiefly on two factors:

  • To what extent was the breach the organization’s fault? Was management irresponsible in the way it handled people’s data? Was it dilatory about taking appropriate precautions? Did it exacerbate the impact of the breach by collecting more customer data than it needed for its own purposes, in order to sell the data? Did it ignore warning signs it should have heeded? Or was this simply a case of a cutting-edge criminal victimizing a well-managed organization?
  • How did the organization handle the breach once it happened? This is one is probably even more crucial than the first, especially with regard to long-term reputational damage. People are shockingly willing to forgive an error, sometimes even an egregious misbehavior, if an organization behaves decently in its aftermath. (Of course the third or fourth time you make the same mistake or commit the same infraction, forgiveness is tougher to come by.) Some details of how to handle a data breach are covered in the answers that follow.
number 3
Once there’s a big data breach, what should brands do to win back consumer trust? What should they do in the first hour? In the first 24 hours?
number 4
Three days later … what should they be doing?
number 5
Let’s say a month or 6 weeks have passed … are they out of the woods? Should they still be in crisis mode?

I don’t think “winning back consumer trust” is the goal – at least not if by “trust” you mean trust that there won’t be more data breaches. Odds are there will be. At best the company can try to build confidence that it has tried and will continue to try (and maybe will try harder) to reduce the risk. But organizations should not aim to foster undue trust – such as promising or seeming to promise that they will be able to succeed in thwarting all future data breaches.

As for how long the communications effort should last, the Target data breach went public in mid-December 2013; the Neiman Marcus breach was announced in January. Here it is March, and you’re still writing about them. So obviously these stories have legs.

And of course any bad news is more memorable to its victims than to journalists or the general public. That’s a crucial distinction. In thinking about how to manage the reputational impact of a data breach, let’s start by distinguishing four audiences:

  • The general public – people who have no particular contact with your organization, whose impression of it is based entirely on what they read and hear.
  • Unaffected stakeholders – people who aren’t affected by the breach but do have an ongoing relationship with your organization (for example, customers whose personal information you are confident wasn’t compromised).
  • Affected stakeholders – people with an ongoing relationship with your organization whose personal information was or might have been compromised.
  • Seriously damaged stakeholders – people who suffered real impacts (whose identities were stolen, for example).

I think companies and other organizations facing a reputational crisis tend to focus too much on the general public and too little on affected stakeholders. That tempts them to understate how serious the problem is, hoping to keep the media and the public as uninterested as possible. Though this strategy may work in the short term, it has a huge cost. Stakeholders who are affected or worried that they might be affected start to mistrust the company and its complacent-sounding assurances. So the crisis is prolonged, the controversy between the organization and its stakeholders gets nastier than it needed to be, and even the general public ends up with a bad taste in its mouth.

Smart organizations realize two things. First, what their stakeholders think of them matters more than what the general public thinks of them. And second, it is nearly impossible to sustain a good reputation in the minds of people who know little or nothing about you when those who know you best are getting angrier and angrier.

So when there’s a data breach, what ought to matter most is addressing the concerns of affected and seriously damaged stakeholders. Reassuring unaffected stakeholders is secondary. And trying to convince everyone else that nothing much happened is a big mistake.

A related issue is the two kinds of reputation management: “positive reputation management” (burnishing the good opinion of people who like you) and “negative reputation management” (mitigating the bad opinion of people who dislike you). These are separate goals. Many organizations are both much-loved and much-hated – consider Microsoft, for example, or Wal-Mart. The things you do to improve your positive reputation, such as philanthropy, don’t help much with your negative reputation. And vice-versa: Apologizing for a breach will diminish its negative impact, but it won’t do your positive reputation any good.

An organization like Target or Neiman Marcus obviously relies on its positive reputation, and wisely spends time and money trying to nurture it. But in a reputational crisis such as a data breach, what’s mainly at stake is an organization’s negative reputation – how much it’s hated, not how much it’s loved. Managing a reputational crisis isn’t public relations as usual. The focus needs to shift from publics to stakeholders, from positive reputation to negative reputation, from increasing affection to reducing outrage.

The need to focus on affected stakeholders and negative reputation explains why organizations should keep talking about a breach longer than they think they should. A company that was preoccupied with the general public and positive reputation might respond well initially, but then it would seek to make the breach disappear. For example, it might try to generate a lot of good news so the breach no longer showed up near the top of Google searches of its name. But if you’re worried about earning the forgiveness of affected stakeholders, it pays to wallow in contrition Link goes to YouTube – not just once but many times; not just until you’re sick of it (you’re sick of it before you start!) but until your stakeholders are sick of it, until they are actively asking you to move on, please, and stop with all the mea culpas.

There’s a seesaw at work here. The more you wallow in contrition, the quicker your stakeholders want you to move on. But if you try to move on before they’re ready to forgive you, that exacerbates your negative reputation problem and prolongs the crisis.

Other than staying focused contritely on the breach until your stakeholders are ready for you to move on, what else matters in the way organizations handle a breach? I could list dozens of recommendations. Here are six key ones:

  • Come out with the news fast. The clock starts ticking the moment you learn there’s a problem; you’ll be judged largely by the gap between that moment and when you go public. Waiting a few hours to learn more about what happened and figure out how best to respond probably does more good than harm. Waiting a few days usually does more harm than good. Waiting weeks or months virtually guarantees a reputational disaster.
  • Err on the side of caution. Assuming you’re not sure yet exactly how bad the breach is, talk about how bad you’re worried it might be. It’s fine to come back a few days later with reassuring new information: “It’s not as bad as we feared.” But it’s very destructive if you have to come back later to say “it’s worse than we thought.” So make sure your early damage assessments are pessimistic enough that you’re unlikely to need to go down the “worse than we thought” road.
  • Let people watch you struggle to cope and improve. Watching your organization struggle in the aftermath of a data breach builds confidence – first in your determination to make it right; and later, when you have made some progress, in the effectiveness of the responses and improvements you have implemented. It’s tempting to do your struggling in private, especially when you know you’re not going to be able to solve the problem totally. But bland assurances that you’re working on it aren’t nearly as effective as letting people watch you work on it.
  • Take responsibility, both moral and financial. Most organizations are good about taking financial responsibility for data breaches, often going further than the law requires. But they sometimes imagine that paying up is a replacement for apologizing. You need to do both. (Consider all the compensation BP has paid for the Deepwater Horizon oil spill; without a credible apology, the money has had little if any reputational payoff.) It’s fine to express your anger at the cybercriminals. But stopping them was your job; you failed and need to say so.
  • Tell people stories about themselves. This is one recommendation that organizations usually get wrong. Affected stakeholders want evidence that the organization responsible for the damage really knows what it’s like for those on the receiving end. Pick a few badly affected stakeholders and get their permission to tell their story – as vividly and empathically as you can. Those similarly affected will feel better. Those less affected will feel much better. Everyone will feel you really get it.
  • Offer detailed guidance on the path forward. What kinds of damage are you promising to reimburse? What kinds of damage might end up uncompensated? What should I do if I have been affected? What should I do if I think I might have been affected? What should I do if I want to take steps to reduce possible future effects of the breach that already happened, or my vulnerability to future breaches? The least you can do is make sure affected stakeholders can find detailed but easy-to-understand answers to their questions.
number 6
In general, how would you grade Target’s handling of the crisis? How about Neiman Marcus? What have such companies done correctly? Where have they erred?

I didn’t follow these two specific breaches closely enough to feel entitled to assess Target’s and Neiman Marcus’s performance.

I do know that both companies faced follow-up “worse than we thought” stories – so apparently their original damage assessments were over-optimistic. Target has been widely criticized for waiting a week to confirm published rumors of its breach, but after a slow-moving start its sensitivity to customer concerns has been widely praised. I don’t think either company did nearly enough to tell people stories about themselves, to dramatize how badly some customers were affected (and thus prove the company knows it and feels it).

You sent me a February 18 Wall Street Journal clip that shows exactly what I mean by letting people watch you struggle. The headline tells the tale: “Inside Target, CEO Gregg Steinhafel Struggles to Contain Giant Cybertheft: How Target Is Working to Manage Crisis After Theft of Credit and Debit Card Numbers From Millions of Customers.”

A March 13 Bloomberg Businessweek story reported that Target was well ahead of most retail chains in its data security precautions. The company had systems in place that detected the malware responsible for its huge data breach, and those systems issued several urgent alarms in time to prevent any damage to customers. But according to the story, Target ignored the warnings, perhaps because its people mistrusted the comparatively new monitoring software.

I am generally wary when post-crisis news coverage finds warnings or precursors that were ignored. Such coverage is often distorted by hindsight bias: What looks like an obvious red flag after the fact may have looked like a routine false alarm at the time. (If every company has a file full of warnings about possible breaches, then any company that experiences a breach is vulnerable to charges that it was warned.) But Bloomberg Businessweek reporter Lily Hay Newman made a pretty good case that the attack on Target wasn’t especially sophisticated – was arguably amateurish – and that Target’s data security team simply failed to take the protective actions that were obviously called for once their monitoring software had flagged the problem.

The revelation (if it’s true) that Target botched an opportunity to prevent its massive data breach is certainly damaging. It may well be more damaging coming a couple of months after the story broke than if Target had made it part of the original narrative. The same is true of the warning in Target’s mid-March annual report to the SEC that the harm to consumer privacy may go further than we know so far. The longer the story keeps getting worse, the tougher it will be for Target to get past it.

number 7
Can paid advertising address the problem? If so, what’s the best way?
number 8
Is rapid-response social media perhaps better at addressing such issues? Or PR?

The outrage of affected stakeholders is most aggressively expressed in social media, so social media are the best place to respond. Not rebut, respond. Nothing is more important than promptly and empathically addressing customer complaints after a breach. A customer who complains on the phone deserves a prompt and empathic response too – which means scaling up call centers and giving their people special training, overnight. But the call center interaction is one-on-one. A customer who complains on Facebook or YouTube or Twitter may have an audience of thousands or even millions. Surveilling social media and responding to what’s said should always be a top communication priority. In a reputational crisis like a data breach I think it’s the single highest communication priority.

Presumably companies also have ways to reach affected customers who haven’t reached out to them. They should be sending out emails and snailmails on a fairly routine basis, reporting on what’s new regarding the breach and summarizing what’s gone before.

And when an affected customer looks at the website of the organization where the breach occurred, he or she should have no trouble finding breach-related information. Target has a pretty good FAQ about the breach. Some of the answers are a little shorter and vaguer than I’d have recommended, but the tone is apologetic and understandable, and the list of questions is excellent. I like the Neiman Marcus FAQ somewhat less, but it’s not bad.

Neither company, as far as I can tell, has a place on its website where affected stakeholders can unload and the company can respond. And unless I missed it, neither company’s website has a list of links to news and commentary (including hostile commentary) about its breach. I think an organization’s own website is an ideal place for dialogue – not just monologue – about what went wrong. If you do it right nobody feels the need to create or access an XYZCorpSucks.com website because XYZCorp.com is doing the job. But monologue is better than nothing.

Both advertising and PR (“paid media” and “free media”) are secondary, in my judgment. They’re essential for reaching the much broader audience, the general public. But they’re inefficient ways to reach affected stakeholders.

Even so, affected stakeholders do pay attention to what an organization is saying to the general public. And it had better be compatible with the information targeted especially at them. You can’t send out an email to affected stakeholders telling them how sorry you are and how awful you know it has been for them, and then go tell a mainstream media reporter that it’s no big deal and not your fault. And whether or not a company decides to run full-page ads devoted to the breach, it should probably put a box about the breach at the bottom of any full-page ad promoting this week’s specials, lest affected stakeholders get the impression that it has one message for them and a different message for everyone else.

number 9
Let’s say a company that has never had a data breach comes to you and asks for a plan. Simply, what would you advise they have in place?
number 10
Should all companies have a data breach plan ready to roll before disaster strikes? Should they all have a data security chief in place (Wells Fargo just hired one this week) and trumpet that fact?

Every organization should figure out what sorts of crises it is likeliest to face, and develop a crisis management plan for each. That’s true for both genuine crises (situations that will rightly upset people about serious hazards) and purely reputational “crises” (situations that will understandably upset people even though the hazard is small). And of course every crisis management plan should have a major crisis communication component.

Everyone agrees this crisis planning process is invaluable – though opinions differ on how useful the plans themselves are likely to turn out.

For any company or government agency of any size, some kind of cyber attack is bound to be one of the crises you plan for. So, yes, every company should have a data breach plan ready to roll … and then every company should stand ready to deviate from the plan as circumstances require.

I’m less confident that companies should trumpet the identities or even the existence of their data security chiefs. Sophisticated stakeholders are too likely to find this amusing rather than impressive: “Well of course they need someone in charge of data security! You mean they just realized that this week?” And unsophisticated stakeholders are too likely to find it excessively reassuring, as if the company were promising not to have breaches – making any later breach feel like a betrayal of that promise.

So if boasting about your new data security chief isn’t such a good idea, what should companies be saying about the possible breaches to come. The best way to decide about pre-crisis messaging is to imagine the crisis has already materialized, and ask yourself what you would wish your stakeholders had already been told. Based on that exercise, I’d advise a client to say things like this:

Like everyone else, we are vulnerable to cybercrime, and we’re still working to find ways to protect ourselves – and protect you! We wish we could promise to keep all your information secure forever, but all we can promise is to keep trying. We’re getting better at data security all the time. But the cybercriminals are also getting better all the time. It’s a moving target, like the old Mad Magazine spy-versus-spy comics.

And to be perfectly frank, data security keeps getting more and more expensive and more and more inconvenient (for you and for us). Our data security people keep coming up with more things we can do, and then we have to decide which ones to implement. If we ever have a breach, we’ll wish we’d implemented more. We know that. But we can’t implement them all.

So we hope you will look at the following suggestions for ways you can limit your risk by controlling the data you give us (and everyone else) in the first place…. And if you’re feeling pessimistic about the possibility of a data breach, here are our policies covering what we will do if the security of your personal information is ever compromised…. One ironclad promise: We will never ask you to pay us for something a cybercriminal bought with your credit information. We know that’s not the only risk you might be worried about, but it’s one we can take entirely off your shoulders.

Companies have much to gain and little to lose by warning customers in advance that data breaches happen, and advising them about ways to help protect their personal information. Whether or not they take the precautions you recommend, people who feel they were properly warned will hold you less responsible for any later breach than those who feel blindsided. Paradoxically, they’ll also feel better protected beforehand. Warnings can be reassuring when they provide convincing evidence that others are worrying and taking precautions on our behalf.

I’m not worried that this sort of data breach warning will scare customers away. Most people who bother to pay attention to the warning are already at least a little concerned about data security. But they’re probably not so sure you are – not sure you’re concerned enough and not sure you’re candid enough. The warning tells them you are concerned and willing to be candid. That’s a big improvement over seeming in hindsight, after a breach, to have been oblivious or over-reassuring.

number 11
BOTTOM LINE: Can trust be reclaimed? Tylenol poisoned people, so to speak, and it came out OK.… (Different times and different circumstances, I know. Still….)

After the Tylenol poisonings of 1982, Johnson & Johnson and the Tylenol brand recovered quickly – mostly because J&J handled the crisis so well. Among other things, it took responsibility for packaging that was all-too-easy for some demented murderer to tamper with. It recalled all the Tylenol on store shelves, advertised widely that people shouldn’t use the Tylenol they already had, offered to exchange people’s Tylenol capsules for solid pills, and two months later reintroduced the capsules with a redesigned triple-seal package. Many customers felt that Johnson & Johnson was also a victim in this situation. But J&J never said so; it blamed itself.

More than thirty years later, this is still what a good response to a reputational crisis looks like. And a good response still goes far to mitigate reputational damage.

But you’re right that the circumstances are different. J&J didn’t just take responsibility for its packaging; it changed its packaging, and pretty much solved the tampering problem. The main problem with data breaches is that we don’t know how to solve the problem. And companies are resisting some of the partial solutions that are readily available – such as moving from magnetic strip credit cards to chip-and-PIN credit cards like the ones that are already widely used in Europe. (To its credit, Target has promised to switch from strips to chips by early 2015.)

So we can’t “trust” companies to prevent breaches. We can’t “trust” them to take all possible steps to try. We can’t even “trust” them to take some reasonable-but-expensive steps that have been adopted elsewhere but are still being extensively debated here.

Even world-class communication can’t forever rescue the reputations of organizations that keep deciding an occasional breach is cheaper than a step-change improvement in security.

So what’s going to happen? As I noted at the beginning of this overlong answer, people will get more accustomed to data breaches. But companies and government agencies will also get more serious about data security. And we’ll meet in the middle. When an organization that has done a decent job of trying to prevent breaches has a breach, stakeholders will cut it some slack – as long as it responds effectively, candidly, and empathically after the fact. But when an organization that has had a breach looks like it wasn’t doing as much as it should to protect its data, or responds poorly after the breach, stakeholders will make sure that it pays an ever-higher reputational price.

Copyright © 2014 by Peter M. Sandman

For more on crisis communication:    link to Crisis Communication index
For more on outrage management:    link to Outrage Management index
      Comment or Ask      Read the comments
Contact information page:    Peter M. Sandman

Website design and management provided by SnowTao Editing Services.