In what may turn out to be the largest data breach of its kind, Target initially reported that hackers had stolen credit card and debit card information connected to as many as 40 million customers who shopped at Target stores. Later, Target issued additional information that another 70 million customers may have had personal information compromised, including names, phone numbers and email addresses.
Subsequently, Neiman Marcus revealed it too had been the victim of a security breach, and there are some reporting that the POS system hacking could extend to additional retailers.
The full magnitude of the damage will not likely be known for some time, when customers receive and examine their monthly statements and call their banks, security experts have said. In past cases, it has taken 30 to 45 days for the vast majority of bad charges to surface. Unfortunately, in a scenario with so much publicity, the impact of the breach may be felt for months . . . or longer.
So, the question is – What is the best way to communicate around a data breach of this nature? In working with a leading communications tracking firm, Competiscan, I was able to see a variety of communication strategies involving multiple channels and a variety of resolutions to the Target data breach.
“In today’s environment, it’s not a matter of if a data breach will occur, but when it will occur, and how well you respond. Do everything you can to prevent data breaches, but also fully plan out how you will respond if a breach occurs. Today’s media and consumer demands that two-pronged approach”. — Brian Lapidus, COO, Kroll Fraud Solutions
The one thing that should be part of any crisis plan is the reality that you might have to be in communication with hundreds of thousands of customers instantly. Unfortunately, while Target did ‘go public’ almost immediately after becoming aware of the situation, they were not prepared to handle the volume of calls or visits to their website/Facebook page that occurred. For instance, Target’s initial notification post garnered over 3,500 comments and 1,600 shares in the first few days from customers concerned about their card security.
The same is true for the financial institutions that have been tracked. While some communicated with customer as early as December 20th (the day after the initial discovery), some organizations have not yet reached out to all customers to explain what has occurred, what precautions can be taken and how the bank is working on their behalf.
According to a Reuters/Ipsos poll, 40 per cent of people who shopped at Target during the period of the data breach had not been notified about the incident. Thirty-one per cent said they had been notified by Target and 28 per cent said they had been notified by their bank or credit card company.
This is an opportunity lost at a time when trust between customers and their financial institution is still fragile from the past financial crisis.
“More than 55 percent of respondents said the notification about a data breach occurred more than one month after the incident, and more than 50 percent of respondents rated the timeliness, clarity and quality of the notification as either fair or poor.” – The Consumer’s Report on Data Breach Notification
The day after the initial reports surfaced, Target emailed millions of customers it thought were affected, and for whom it had email addresses. It has done the same for the additional customers it’s now found to be involved.
The company also created a dedicated page on its website for the data breach, including resources about identity theft and credit reports. Target has said that it plans to offer a year of free credit monitoring and identity theft protection to anyone who shopped in Target stores in the United States.
Finally, Target also sent postal letters and posted a series of short YouTube videos to explain details around the security breach, what the company was doing about the situation, and a discount offer to customers. It also provided the first set of steps a customer could take to protect themselves and where they could go for additional information.
As mentioned, the timing, format, message and channel of communications from banks in response to the Target data breach have definitely been varied. The first responses, before the holidays, came from all sizes of banks and credit unions. One of the first (shown below) was an email from Consumers Credit Union on December 19.
Chase and PNC Bank were also very quick to respond using email to inform customers that a data breach had occurred even though little or no detailed information was available at this time. Chase assured customers that they would monitor their accounts while PNC referenced their Security Assurance Pledge and linked to a continuously updated FAQ page.
Due to the sketchy information available during the first few days after the data breach was discovered and the need to proactively communicate to as many customers as possible, organizations like USAA, FirstMerit and Peoples United leveraged social media to help expand the scope of communication.
Chase made a rather dramatic move right before the holidays, limiting both purchase and ATM transactions at a time when customers were most likely to need access to funds for the holiday.
JPMorgan Chase was also the first major bank to announce a plan to ultimately replace millions of its 23 million debit cards. While not conducting a wholesale reissue of credit cards, which are harder to defraud quickly, the reissue of debit cards provided both a safety net for the bank as well as a bit of ‘surprise and delight’ to the customers who may have been worried about the risk of using their cards.
Citibank also recently announced plans to reissue all customer debit cards involved in the data breach at Target. The bank said it did not replace the debit cards sooner because it wanted to minimize disruptions during the holiday shopping season, according to a person briefed on the company’s decision who spoke on the condition of anonymity. It will begin sending out new cards soon.
Citi’s move highlighted the potential for continuing damage to consumers, banks and Target as data stolen in the breach may keep leaking into the black market. It also provided some goodwill to customers that was beyond what Target was doing (free credit monitoring, etc.)
The major consumer banks have been taking slightly different approaches in their responses to the Target breach. The other three consumer banks among the nation’s five largest — Bank of America, Wells Fargo and U.S. Bank — have said they are carefully watching cards for signs of fraud, but they have not broadly reissued debit or credit cards.
Additional communication beyond what Target did is important for customers since banks are generally responsible for charges made on stolen credit cards, but debit card users do not have the same protections and can be responsible for up to $500 in losses depending on when they report the fraud.
“Sixty-Three percent of respondents said notification letters received after breaches offer no direction on the steps consumers should take to protect their personal information. Fifty-seven percent said they lost trust and confidence in the organization.” — The Consumer’s Report Card on Data Breach Notification
One of the clearest and most direct communications came from Discover Card, who replaced cards, provided very direct guidance as to what their customer can do to further protect themselves and provided a link for more information.
Of all of the communication reviewed, Discover appeared to be the only communication that could be easily viewed and responded to via a mobile device. Seeing that recent research indicates that close to 50% of all emails are viewed on a mobile device, it would be wise for more institutions to take this into account as they develop email communications.
In recent years, banks have given customers more tools than ever to help monitor accounts. Many consumers monitor their transactions daily on their smart phones, even getting text alerts for transactions in almost real time. All these tools help manage and stop fraud before it gets to far out of control. Communications from banks and credit unions should include a reference to these tools for the next several months.
Communications Master Plan
There are a number of resources available to assist with communications to customers in the event of fraud or a data breach. Most of the professionals in the communications business agree on the key components of a good emergency communications plan. All of them also agree that good communications is not just a good protection against financial loss, but also provides the potential for goodwill and loyalty going forward if done well.
The keys are:
- Prepare in advance – Consider a data breach likely and plan accordingly, designating a breach response team and developing a comprehensive and detailed plan. According to a communications agency specializing in social media for financial institutions, this plan should include:
- Contact information for key executives (and their assistants)
- Responsibility list (including identified official spokesperson and team heads)
- Social media resources and access credentials
- List of media contacts
- Style guide specific to breach communications
- Approved templates to provide a starting point
- Be accurate and timely – Speed is of utmost importance. Understand the details and scope of breach and identify all impacted customers while determining appropriate message.
- Keep message brief, but complete
- Avoid unnecessary information that could cloud the issue
- Keep message consistent across channels
- Remember foreign translations
- Keep communication lines open – In addition to direct communication to customers through direct mail and email, social channels can provide an excellent means to update customers on an ongoing basis. Allow for social sharing of updates.
- Be open, honest and transparent – In a data breach situation, the details are important. Communicate as thoroughly as possible:
- The cause, date(s) and extent of the occurrence
- Steps being taken to fix the problem and avoid a reoccurrence
- Be specific regarding the quantity of damage
- Provide resources (phone numbers, web addresses and links) so customers can find out more
- Continue the communication as more details emerge
- Provide next step solutions – Communicate remediation and/or mitigation processes and provide customers ways to feel more secure going forward.
- Make it easy to understand what you want them to do
- Provide reassurance if possible and if valid
In the case of the Target breach and any retail industry breach that may be uncovered in the future, the communication should not be a one and done thing. It should be ongoing as new information is uncovered and should assume the customer is looking for guidance and security on an ongoing basis.
Beyond the public relations and trust-building opportunity discussed above, a data breach of this nature also provides the opportunity to discuss and promote ID protection and credit monitoring services. While in this case, credit monitoring is being offered by Target, many customers may not ‘trust’ target with any service that will access their personal information (even though not connected with Target).
Many banks and credit unions provide these services either for a fee or free. Now would be an excellent time to reach out to customers via email, online ads, phone calls and/or 1:1 branch selling to improve cross-sell ratios.