Stop the Presses

With the recent news that the TJX data breach actually affected 94 million credit cards–more than double the 45.6 million cards initially reported–any company that has anything to do with private consumer data must be on alert. And even though there are theories circulating that hackers used an in-store employment kiosk to set the data stealing trap, TJX hasn’t had much to say.

From a communications point of view, TJX’s lack of transparency (and ‘everybody’s doing it’ defense) is dangerous. The American public is extremely forgiving when a company admits that there’s a problem and outlines the steps they’re taking to fix it (see JetBlue.)  What they won’t stand for is secrecy.

The fact is that companies can’t keep data breaches under wraps, even if they wanted to. Web sites like Attrition.org–a site that keeps a running data loss archive and database–chronicle the daily events in the world of data loss. There have been 26 events thus far in October, 2007, ranging from MacEwan College’s posting of students’ personal credit information on public and internally-accessible web sites, to a stolen USPS laptop that contained names and social security numbers of approximately 3,000 employees.

If your company is caught in a data breach situation, you must run to the crisis. Take responsibility to fix the problem and move quickly to reassure customers that their interests are your foremost concern. A few ways you can publicly show your commitment to your customers is to:

1. Identify the villain:  If someone has stolen a laptop or thumb drive with customer information, working to track down and identify the perpetrator shows consumers that you take the situation seriously. It also highlights for the customer that your company is a victim, too.
2. Provide regular and periodic updates:  Saying nothing is oftentimes synonymous with admitting guilt. Schedule regular updates to the media, even if it’s just to let them know that you’re still working on resolving the issue.
3. Outline a game plan for consumers: Work closely with your industry association and your search engine optimization team to get the word out to consumers as to what steps, if any, they can take. Make sure this is done with no strings attached–now is not the time to partner with a company that’s interested in selling identity theft insurance, but it’s a good time to bear the cost and give it to consumers for free.

Of course, the best way to deal with a crisis is to avert one–so I called Paul Henry, Vice President of Technology Evangelism at Secure Computing, an enterprise data security firm. The technological advice he offered to companies dealing with sensitive customer data is this:

1. Perform due diligence: Companies have felt comfortable by buying and employing the technology solutions that all the other companies in the industry use. This isn’t enough. Popularity is not an acceptable replacement for due diligence - Test your solutions in real-world situations.
2. Deploy application layer firewalls: So much of the risk of data loss comes at the application layer, there’s no excuse for not having these in place. A packet filtering firewall on its own is inadequate.
3. Combine anti-malware with anti-virus. Virus scanners look for particular ’signatures’ to identify potential threats. Anti-malware programs analyze program scripts for malicious intent. Employing both technologies is prudent.
4. Move to true two-factor authentication. Any software solution that relies on user input alone will be hacked–it’s just a matter of time. Companies must employ two-factor authentication, that requires both some thing the users has in their possession such as a hardware token along with something the user knows such as a pin number that is appended to the one time password generated by a token, in order to provide adequate protection to their customers.

By using a combination of best practices–both in technology and in communications–companies may be able to avoid a data loss situation, or better handle one in the eyes of their customers and the media.

I was reading Operational Risk’s insightful recent blog post on the role of fear in understanding and managing risk and that got me thinking about the role that emotions–fear, ego, a desire to be right, etc.–play in a time of crisis.

Larry Craig, Martha Stewart, Michael Vick and the Utah mining disaster have something in common–in all four situations, an initial crisis strategy was sorely lacking, and emotion overrode logic. These are examples of the dangers of making decisions based on emotions rather than a trusted and tested group of advisors. And while these examples focus on the individual, they are exceptionally helpful windows of how — more often than we would like to admit — crisis decisions are made in some corporations.

When you’re in the middle of a crisis, you’re expected to perform at your best–and to make the best decisions–when in reality, you are more than likely going to be at your worst. Accelerated decision-making in a fishbowl, with key markets (and sometimes the whole world) watching; too little information; too many advisors, deadlines, and options; lack of sleep; and the pressure of making life and death, bet-the-company decisions in rapid succession. It is a recipe for the highest level of stress and testiness.

That’s why it’s so important to have trusting relationships with your crisis team–investor relations, general counsel, outside litigation team, outside crisis communications team and your social media or IT specialist–prior to a crisis actually occurring. Because they’ll be there at the ready to help you make the best all around decisions. It isn’t about proving that you’re right and your adversaries are wrong. It isn’t even about proving that the public’s perception is not the reality of the situation. It’s about winning your case in the court of public opinion while preserving your legal options.

Emotion and ego are often given short shrift by senior executives–after all, going with their ego and following their gut feelings are what helped them get to the top of the ladder. Why should they abandon emotion now, in the midst of a crisis?

Because winning in the court of public opinion offers is an uphill battle. Sometimes a ‘win’ means paying smaller costs to avoid larger ones. Sometimes the cost of business and the cost of avoiding a prolonged crises is to pay the government a fine even though you’re innocent; or to take a bad news story with a 24-hour lifespan so the journalist can go after someone else; or simply to include other decision makers amongst your trusted advisors, asking the question, “What do you think?” and truly listening to their responses.

Good decisions don’t necessarily mean you won’t follow your gut feeling, or that you’ll have to surrender your company. Good decisions are, however, made when one understands all of the potential ramifications of an action, which no one person can do on their own in most crises.

But CEOs aren’t the only ones who must be aware of their emotions. Ego also applies to the lawyers (both in house and outside counsel) who insist on driving the decision making, when often there is more at stake in the marketplace than in the courtroom. Or senior level executives more concerned with making sure it is not perceived as their fault rather than in protecting the company or brand. Or the communications professional who wants the big win over what is best for the client.

Ego and emotion are good things–they’re part of the engine of success. But crisis is a different animal with different rules. It’s the ultimate team sport, and no one should play alone.

In the past two months, we’ve seen and heard more of the Consumer Product Safety Commission (CPSC) than we had for our entire lives. Most recently, the agency has come under fire for what some see as a deadly delay in issuing a recall for a baby crib.

This September, Congress conducted a series of hearings examining the disappointing role of the CPSC in the recent recall of toys imported from China. By now we’ve all seen in stark living color that the CPSC appears simply unable to live up to the enormous job assigned to it by Congress.

All of this puts more pressure than ever on consumer product companies. Today, they must be smarter about protecting not only consumers, but also their products and their brands. No longer is saying ‘our products meet CPSC standards‘ a sufficient assurance of safety or quality. That’s because consumers now question whether the CPSC can adequately protect them.
 
American consumers demand accountability and responsibility–and when they can’t get it from the CPSC, they will look directly to the product manufacturers. Consumer product companies must step up to the proverbial plate and voluntarily fill in the gap between what the public demands and what the CPSC has the resources to regulate. Adhering to the ‘letter of the law’ won’t cut it anymore. In order to earn and maintain consumer confidence, you must take your corporate responsibility (and especially your communication about it on the Internet and in the news media) to the next level.

Smart companies will appoint Chief Safety Officers and hold them responsible for overseeing the safety and quality of products. They will also enumerate the steps the company has taken to ensure the safety of their products. Most of all, they will demonstrate that they are listening to customer complaints with swift action –not with mere words of concern or with coupons. Stricter self-regulation and accountability will be essential for consumer product companies in the 21st Century.

Tainted food has claimed another victim–this time, the company that allegedly created the crisis. New Jersey-based meat processor Topps Meat Co.ceased business operations after a week-long crisis. Why?  Because the recent recall of more than 21 million pounds of its frozen hamburger patties led one senior company executive to conclude that his company could not ‘overcome the economic reality of a recall this large‘.

Topps put a high-profile communications firm to work on the case several days into the crisis–and I’ve got to tell you, I have nothing but empathy for my fellow PR practitioners.  In an almost impossible situation like this, there’s only so much they can do. But I believe it was too little, too late. But instead of focusing on that, let’s take a look at what other companies in the food industry can learn from this situation:

• You’ve got to say you’re sorry:  In a crisis situation, acknowledging any responsibility and issuing an apology are two of the first things any company should do.
• Manage the situation: Acknowledge that something went wrong and tell the world about the steps you’re taking to fix the problem.
• Invest in crisis communications before you need it: Investing the time and money into creating a workable crisis communications plan isn’t saying that you’re expecting for something to go wrong–it’s simply acknowledging that you’re ready to do business in the 21st century. A good crisis plan simply buys you the time you need in the first 48 hours of the crisis to think clearly, rather than having to focus on creating the crisis communications process (like ‘Who will talk to the media?’ or ‘Who’s calling customers?’)
• Focus on your customers (and their customers): Messages that are ‘me’ focused–what the crisis will do to your business, how damaging it is to your company, accomplish two negative things: 1) They send the not-so-subtle message to your customers that your company’s well being is a higher priority than theirs and 2) They make you appear weak and vulnerable, inviting just the kind of litigious attention you’re been trying to avoid.

Could Topps have survived the recall?  We’ll never know. One thing we do know is that the American public is extremely forgiving when people (and companies) own up to their mistakes and demonstrate that they are correcting them. Food-related businesses would be wise to remember that.