Widespread security breaches during the holiday shopping season have caused more than 100 million people to wonder whether their credit card or personal information is now in the hands of criminals.
It's not only the actual data breaches that will cost these retailers customer loyalty in the long run, though--it's their delayed disclosure and lack of proactive communication. The unfortunate reality is that it's impossible to be completely safe from cyberattacks. If the most sophisticated intelligence agencies in the world are getting attacked, it's reasonable to assume that this is a possibility for any corporation.
For every business, be it a startup or a 100-year-old company, there's always a chance you'll face a problem that adversely affects your customers. Whether it's a product recall like Antennagate, a technical outage like the one Amazon suffered in August, or a security breach like the ones that hit Target and Neiman Marcus, companies need a playbook.
It's common for companies to have disaster recovery and technical redundancy plans in place in the event of catastrophes. But what about a customer service action plan? What's the strategy to work with customers who will undoubtedly have questions? Which channels will be open? How will the social channels handle the traffic? Is your business prepared to staff up to handle a five- or tenfold increase in inbound customer inquiries?
In an age when customer-centricity has become the winning strategy, it's imperative that an open and honest communication plan is at the top of your priority list. Here are a few tasks to get started:
1. Give your team a security refresher course. Agents should be trained to talk about security in a way that gives customers confidence. Prepare a list of talking points that have been vetted by security experts and company executives.
2. Map the messaging. Know where you would communicate a breach on your website, phone, email, chat, and social channels. Don't bury the information at the back of the automated menu. Making the information visible and easy to understand is incredibly important.
Holding Back Information Could Make it Worse
Unless prevented from doing so by investigators, failing to report breaches to customers (especially during the holidays) is simply bad business.
Building brand equity is like filling up a reservoir with a small bucket--it takes a ton of resolve and continuous effort over a long period of time, and it can also be drained completely in a matter of seconds.
The timeline of events around the Target data breach suggests that the retailer was quick to react once security blogger Brian Krebs published his original report. However, Connecticut's Putnam Bank, which is suing Target for losses resulting from the breach, claims that Target knew about the breach for four weeks before telling customers. Another class-action lawsuit against Target claims the retail giant ignored warnings from as early as 2007 that the company's point-of-sale system was vulnerable to attack.
A spokesperson for Neiman Marcus said the first alert came in mid-December, but actual evidence of the intrusion didn't surface until January 1. The retailer then waited nine days to tell customers about the breach, according to Reuters. The New York Times reported that sources briefed on the investigation question the retailer's decision not to disclose anything until the busy holiday season had ended.
Neiman Marcus and Target may have reacted just as law enforcement, security experts, or their payment provider advised them. But keeping their customers in the dark made them angry and potentially caused damage to their brands.
I think Michaels is a better example of how to handle a breach (or potential breach) appropriately. At the risk of upsetting customers, the retailer was as up front as possible. "While we have not confirmed a compromise to our system, we believe it is in the best interest of our customers to alert them to this potential issue," said Chuck Rubin, the company's CEO, in a statement on January 26.
The FBI expects more retailers will be affected by data breaches this year, so it's critical that you ask yourself a very tough question: "Am I prepared to make my customers angry?"