Printed from BusinessInsurance.com

Target strives to limit damage to its reputation in wake of holiday data breach

Posted On: Jan. 19, 2014 12:00 AM CST

Target strives to limit damage to its reputation in wake of holiday data breach

Reputational risk experts give Target Corp. qualified good marks on the company's response to its holiday shopping season data breach, but acknowledge the picture could change for the retailer as more details emerge.

Meanwhile, broad awareness of the potential risks to the reputation of a company's brand exposed by cyber security issues is growing in the retail industry. Some experts even say such events could alter consumers' perceptions about the safety of e-commerce.

In the days and weeks since its breach, Target has communicated with the stakeholders that hold the key to its reputation, though the event has had some discernable negative effect on its reputation, said Nir Kossovsky, CEO and director of Steel City Re, a Pittsburgh-based broker/adviser specializing in corporate reputation management and risk transfer.

“This is a firm that really has a chance to recoup that loss,” Mr. Kossovsky said. “But it has not done a great job in communicating on the crisis management side. They left it open for others to control the story.”

In the face of such a crisis, best practices in the immediate response are to demonstrate transparency, expertise, commitment, follow-up and empathy with affected customers, said Daniel Diermeier, IBM professor of regulation and competitive practice in the department of managerial economics and decision sciences of Northwestern University's Kellogg School of Management. “The key goal is to maintain or increase trust,” he said.

“To my mind, Target did some of that, but not all of that,” Mr. Diermeier said. “You have to do that quickly. Waiting until you know everything that happened often isn't an option for companies.”

%%BREAK%%

Target first acknowledged on Dec. 19 the data breach it experienced from Nov. 27 until Dec. 15, saying in a statement that the breach resulted in the theft of about 40 million credit and debit card records. On Dec. 27, the company said its forensic investigation found that hackers also collected card users' encrypted PIN data. On Jan. 10, the Minneapolis-based retailer said its investigation found that up to 70 million other records, including customer addresses and telephone numbers, had been stolen.

“Their response seemed pretty good and effective,” said Larry Walsh, vice chairman at the Alexandria, Va.-based Hawthorn Group L.C., a strategic communications consulting firm. “But it took a long time for them to get there.”

Since acknowledging the breach, Target has assured affected customers they'd have no liability for fraudulent charges. The third-largest U.S. retailer offered them one year of free credit monitoring and identity theft protection. The company also said last week it would testify before Congress in early February about the data breach.

As the investigation of the Target data breach continues, along with another one into a data breach that retailer Neiman Marcus acknowledged this month, retailer awareness is growing about the connection between cyber security and corporate reputation, experts say.

“The whole kind of data security area is emerging as — if not the main one — one of the more important drivers of reputational risk,” said Mr. Diermeier, who also is director of the Ford Motor Co. Center for Global Citizenship at Northwestern's Kellogg School of Management. “The bigger you are, the more well known you are, the more likely you will find yourself in the spotlight.”

%%BREAK%%

Tom Kellermann, managing director at Alvarez & Marsal Holdings L.L.C. in New York, said: “Now that we're seeing a dramatic increase in reputational risk due to these events, the calculus has to change.”

Historically, retailers relied too much on encryption and firewalls and not enough on next-generation cyber security strategies, he said, including both forensic capabilities and advanced threat detection capabilities.

Mr. Kellermann and others also emphasized the need to develop and test incident response plans companies can deploy when they've suffered a reputation-threatening data breach.

“One of the things you can do aside from all of the things (retailers) are doing on the technology side and the security side … is to prepare for the response,” said Tracy Knippenburg Gillis, global reputational risk and crisis management leader at Marsh Risk Consulting in New York. “That is really a huge difference in the way these things unfold, the reaction you see in the stakeholder groups.”

Organizations should exercise their response plans, identify who will be involved and what they'll do, she said.

“There's no reason to be waiting until the time comes,” Ms. Gillis said. “The faster you respond, the more accurate you are in your response, the better the outcome will be.”

“We've seen a real dollar-for-dollar correlation of managing a crisis well,” said Robert Parisi, network security and privacy practice leader at Marsh Inc. in New York. Reputational risk insurance can provide access to outside experts to help address such crises and help pay for their services, he said.

“You want to make sure that when an event occurs, you're getting out there with the right information,” Mr. Parisi said. “Nothing is probably worse than getting out there saying nothing happened and then coming back and saying something happened.”

%%BREAK%%

With online communications and social media “the discretion, the ability to control (the story) is largely lost,” said Hawthorn Group's Mr. Walsh, who advocates retailers and others handling large amounts of consumer information conduct data breach crisis drills at least once a year. Those who are prepared to act in real time will have the best chance of controlling the messages after a breach incident, he said.

Mr. Kossovsky said that the sort of mathematics applied to other risk exposures — weighing frequency and severity and determining “does the math justify the investment ”— doesn't apply as well to decisions that might affect reputation.

“That's bad math when the risks are reputational,” he said, because it ignores important intangible factors.

“The reputation issues are really best understood through another kind of math called game theory,” Mr. Kossovsky said. “Your best decisions very much depend on how others are going to behave.”

Mr. Diermeier said the increased awareness of reputational risk “has to become operational. It has to become part of your way of thinking.”

A key question with potentially far-reaching implications is who consumers ultimately perceive as responsible for such a major data breach, said Kent Grayson, an associate professor of marketing at Northwestern's Kellogg School. “One question you want to ask about trust is who gets blamed,” he said. In some instances it might not be the company involved in the event, but an institution.

“To what extent is Target going to be blamed for this vs. to what extent is electronic commerce going to be blamed as an institution?” Mr. Grayson said. “Who gets blamed; and if it's not Target but it's the institution of e-commerce, what are the implications of that?”