Has anyone noticed a disturbing pattern in security breaches at major U.S. companies?
Due to slow – and even deliberate – delayed communications, consumers are getting the shaft.
The most recent case flared up in mid-January when TJX Cos., a Framingham, Mass. retailer that runs T.J. Maxx, Marshalls, Home Goods and other stores, disclosed a data theft that exposed millions of customer credit and debit card numbers.
Like several past instances, consumers were NOT notified right away. In the case of TJX, the company waited about a month. A couple of years ago when Bank of America had some computer tapes stolen, it waited two months to notify customers.
Even the U.S. government waited several weeks before disclosing someone had walked off with a government-owned laptop containing Social Security information for 25.6 million U.S. citizens.
Corporate executives, government investigators, and legal counselors have been postulating that the communication gap exists because it gives the authorities time to catch the bad guys.
This may sound good on paper, but it doesn’t do much for the consumer.
I’m in agreement that the ultimate objective is to catch these thieves and throw the book at them. However, companies are bucking a clear trend: the customer (in this case the consumer) comes first.
Take a closer look at the TJX case.
According to a report in The Boston Globe, a New Bedford, Mass. city employee said $6,700 in charges suddenly appeared on his Visa card in January of 2007. It’s the same credit card he used while shopping at a T.J. Maxx store last December.
Does TJX really think it utilized the right communications strategy by waiting a month to tell this consumer about the breach? If you were this shopper, what would you think about TJX?
Could it be that TJX did not want to announce the breach in December because it would have severely impacted its Christmas sales?
My 30-plus years experience in strategic communications tells me this dynamic must change.
By waiting to tell the consumer about breaches, companies are risking major damage to their reputations and brands and even a substantial drop in sales.
While it’s true that banks and other credit card issuers usually pick up the tab for bogus charges, there is still a huge psychological impact on the consumer. People whose personal data is stolen feel violated.
It may be gradual, but the American public is going to stand up against this behavior and demand to know right away that someone has stolen their financial data. At some point, it seems logical that consumers will organize boycotts against companies that compromise their personal data.
To make matters worse, some companies are making security breach announcements without solid contingency communication plans in place to deal with the fallout.
At the risk of picking on TJX, the company seemed disorganized when the story broke. People complained that they got the run-around from customer service hotlines and the CEO was unavailable for comment.
Finally, after more than two weeks, the company took full-page ads in newspapers saying that it was sorry for the inconvenience to consumers and it was doing everything in its power to correct the problem.
If the company had a good contingency communications plan in place, it would have called for a letter like this to be written within a matter of days. Why wait? It looks like the company is hiding something.
I believe there is an Rx to contain – and even fix – this problem. It involves work on the front end and the back end.
On the front end, organizations holding the data need to build more secure systems to protect consumer information. This will involve more capital spending on encryption, security software, and other various IT tools.
On the back end, state and national political leaders need to introduce legislation that compels companies to notify consumers within five days of a security breach. There will be opposition, but it’s the right thing to do.
Meanwhile, all of us continue to hold our breath until the next security breach is announced…and we wonder if our financial data will be compromised along with our credit standing and privacy.