Just when you thought it was safe to drop 40 large on your Spring togs, doesn’t someone bad make off with your Saks account data. It’s probably on a mantel piece or trophy wall some place, right beside your Uber info, your Equifax file, and the results of that mercifully negative blood test from college.
It seems to me that we are now past pretending to be surprised when the bad guys do a smash and grab in our databases, and it’s time we were properly prepared to explain it to our customers, partners and employees.
Which is why it’s so disappointing when companies that should know better, do a terrible job of it. Let’s take a look at Uber: I can’t quite tell whether it was the marketing people or the lawyers who won the day on that one, but their customer messages were shining monuments to all that is weaselish corporate bullsh*t.
First, the CEO posts a message on their newsroom page (the one literally nobody goes to) on November 21, 2017. That’s a full year after the breach, but who’s counting? You can see my parsing of the thing by clicking the link below, but I think its crowning achievement is the way in which not one of the 482 words is “sorry” or “apologize”. We find out how surprised the CEO was to learn of the incident; we discover that two of the people who forgot to tell anyone have been sacked; and, we see that a counterterrorism expert has been hired to help the CEO “think through how best to guide and structure the security teams and processes.”And Now a Word from our CEO
Well thank goodness for new ways of thinking. Because four months later, in March, they thought it would be good to email actual Uber customers. That came in at a reasonable 348 words, give or take, and right there in the third paragraph there’s an apology. Just the one, but, hey, what do you want? It’s interesting that neither message mentions that the police have been called, that the relationship with the third party provider has been terminated, or that anything unpleasant may have happened to the two bad guys. You can see my deconstruction of the email here: An Email from Uber
Then there’s Equifax. Richard Smith, the CEO, does a great job of doing the Dance Apologetica all over Twitter and the news media. Regrettably, they messed up on the website that was supposed to reassure 148 million people about their data, and then stopped answering the phone. And then, heaven help us all, the (now former) CEO, still apologizing his arse off, turns up at a House subcommittee in Washington where he explains away the whole thing by blaming one employee for not installing a security patch.
Really, Mr. Smith? Just what kind of rinky dink operation were you running there? Sir, it does not instill a ton of confidence that the security for your entire company rests on one person’s remembering to install a patch. And, if that is nevertheless the truth, why in God’s name would you say it out loud? Congressional hearing or not, that is over-sharing of the dumbest variety.
What these regrettable CEO face plants share is the obvious haste with which their messages were duct taped together, and the stunning lack of preparation for their CEOs. You’d think with all those months of notice they’d have done a better job.
So let’s agree that it’s likely not a matter of if, but when, you have to do the same dance. In which case, may I gently suggest you get on it while you are still capable of cogent thought and don’t have a panicked Chief Privacy Officer at your door? Here are some things to get you started.
- Apologies Start with People
Figure out who you will need to talk to. If you do nothing else to prepare, at least sit down and make a list of all the people who will care about your data breach. Think real hard, now. Maybe get a second cup of coffee for this; it’s important. Customers – Okav, but which kinds? The ones whose data you just let out the door, but also the ones whose data is not affected but who might be worried? Also, suppliers, regulators, contractors will want to know, too. Most important, and I can’t believe how often we forget them, are your employees. You’ll want to break that list down by the ones who will be front line witnesses to the wrath, plus the ones whose neighbours, mothers and book club will be asking questions.
- Review Your Lists
Circulate that list to everyone. Your legal department, your Customer Abuse department, HR, sales, all of them. They will understand, more than you will, how to flag the tiny pockets of potentially miserable people on the list, so you can pay special attention to them when the time comes.
- Visualize the Apocalypse
While that is happening, you will want to meet with your data keeping people to understand the various ways in which this whole thing goes to shit. There’s your basic hack, your inside job by a malicious ex-employee, the thumb drive helpfully left in a taxi, the ransom ware guys, the our-summer-intern-forgot-to-install-the-patch variety, blame-the-vendor, and oh so many more. Including the entirely possible scenario where nothing at all has happened, but someone is reporting it anyway.
- Practice Your Apologies
You will next want to draft some apologies. If we stop thinking of them as statements or press releases and start thinking of them as apologies, this ends a little better. Take your time, write it nicely, keep it short, try to sound like you mean it and get it past your lawyers. You can fill in the grisly details later.
- Give Your Apologies Machine a Tune-Up
Build the web pages you will need to have ready to reassure your customers or shareholders or employees. Keep the on a staging server but have them ready to go now and fully tested. Then write your scripts and escalations for the front line employees. Do some crisis exercises, some focus groups and some role playing, tweak the scripts and put them in a safe place.
- Train Up Your Chief Apology Officer(s)
There are ton of other things to do, but I will end with one more essential: get a bunch of your executives media trained. If they’ve been trained, train them again. This, time with one of these scenarios. Be brutal, force them into corners and give them sensible, honest things to say. Given the mortality rates of CEOs during these sorts of difficulties, it’s a good idea to have some spare apologists trained in case the big cheese exits earlier than they might have planned.