Are You Breach Ready? What Financial Institutions Can Learn from Target’s Recent Data Loss
The week before Christmas, Target stores announced that a data breach allowed computer hackers to get away with cardholder name, card number, expiration date and CVV data pertaining to over 40 million credit and debit transaction records.
Target’s crisis management and marketing plan came together swiftly. Customer-facing communications followed what appeared to be a planned course of action and included:
- press releases,
- social media announcements and scripted conversation management directing people to call centers and website,
- website updates,
- increased call-center staffing and capacity and
- notification emails to guests for whom they had email addresses.
The black eye
Thousands of shoppers descended on Target, immediately overwhelming the system and expanded resources Target had in place. On Facebook alone, Target’s initial notification post garnered over 3,500 comments and 1,600 shares, and many angry, panicky Target customers fueled the fires of others who could not get through on official customer service channels.
The bull’s eye
Target’s response to the breach kept it in touch with shifting consumer sentiment and allowed the retailer the flexibility to deviate from its pre-determined course to clarify messaging and better engage concerned customers. Within 24 hours, Target released recorded video posts of CEO Gregg Steinhafel discussing:
- the value Target places on all its customers,
- his own dissatisfaction with call-center wait and website response times and a promise to do better,
- tips about what customers can and should do,
- the offer of a special 10 percent in-store discount the weekend before Christmas for all customers (as an apology/incentive to make amends) and
- a free year of credit monitoring services to everyone impacted directly by the breach.
Target did a lot of things right, and by having a plan and monitoring strategy in place, it was able to assume a leadership position to handle the situation. Target evidently did its best to manage expectations and help their customers sort out the financial vulnerabilities created by the breach.
Communicating a data breach
Whether unintended, malicious or criminal, data breaches are more common than you may think. In fact, The Privacy Rights Clearinghouse has cataloged over 4,100 data breaches made public since 2005, which makes it feel like a question of when – rather than if – a breach of financial and/or personal data will occur. There is a lot at stake (most significantly the very reputation of your brand) so immediate action is very important.
Here’s how to begin developing a crisis plan to respond immediately to a data breach:
Have all your information in one place, including:
- contact information for key executives and their assistants,
- role and responsibility list, including identified official spokesperson(s) and those tasked with decision-making,
- a list of social media resources and access credentials,
- up-to-date list of media contacts,
- communication and style-guide written specifically for breach communications and
- approved boilerplate copy/templates (Note: it may not be situationally appropriate to use these).
Keep the focus on the facts:
- Keep communication and messaging simple and brief, but complete.
- Do not offer unnecessary or secondary information that could potentially cloud or confuse the issue.
- Keep the narrative the same across all marcom channels. Use the same copy points everywhere.
- Translate into foreign languages as appropriate.
Be prepared with what to say:
- Address the specifics of what happened.
- Explain what you are doing about the situation, what you did to address and fix the problem so it does not happen again.
- Be clear about what you want cardholders to do, including monitoring their accounts for unauthorized activity, etc. (this empowers them).
- Reassure cardholders that they are not responsible for unauthorized charges or debits to their account (zero liability).
- Be matter-of-fact vs. alarming. Phrases such as “data breach” or “hacking” are vague and may instill panic. Consider wording such as “payment card issues” or “unauthorized access to payment card data” as shown in the Target examples.
- Be specific as to terms and quantify the damage as much as possible. If card numbers were stolen, state it as such. The use of broader terms such as “account information” makes the problem seem worse.
- Provide resources (phone numbers, web addresses and links) so that customers can check their credit reports, contact credit reporting and monitoring agencies, issuers and retailers.
And remember:
- Customers need clarity. Make it easy for them to understand what you want them to do. Use clear “1-2-3” steps. Be consistent and use all your channels and lightweight self-service options, such as knowledge bases and FAQs. Target had hundreds – if not thousands – of customers who did not have any signs of fraudulent activity on their accounts burdening their customer service resources.
- People are scared. They want reassurances and the acknowledgement that they are getting through. So-called “canned responses” (especially for social media) may not be the best solution if they do not provide a specific answer or a feeling of empowerment.
- You will lose some customers. No matter how hard you try, some customers (right or wrong) will complain and behave poorly. Treat all threats seriously.
Just another day on the beach
Cardholders know that breaches can and will take place… they just hope it won’t happen to them. Learning from those who have experienced data compromises will help us maintain the trust of our customers should the same happen to our institutions. As such, consider preparing for a data breach as part of your regular business and crisis communication planning.
