I spent 21 years in public and media relations at four U.S. colleges and universities. In times of crisis communications, my approach was and is to get in front of the issue, to be as honest and forthright to your audience as you can so that the issue won’t come back to haunt you.
There were some instances I wish we could’ve handled a bit better, but largely we did well to adhere to the above approach.
I wish more retailers felt the same way.
When Target realized it had suffered its data breach between Nov. 27-Dec. 15, it didn’t publicly acknowledge it until Dec. 19, nearly one week after data security expert Brian Krebs reported it on his website, KrebsOnSecurity.com, on Dec. 13.
For nearly three weeks, Target consumers were unaware that their credit card information was in the hands of cyber thieves across the ocean.
The Target data breach is why the U.S. needs one uniform data breach notification law, not the 47 state laws that are on the books now. It was one of the discussion points by Jason Oxman, CEO of the Electronic Transactions Association, who was a panelist in the session titled Legislation That Could Affect Your CNP Business at the 2016 CNP Expo.
Data Breach Notification Legislation: One Size Fits All
On May 14, 2015, Mr. Oxman introduced HR2205, Protecting Consumers: Financial Data Security in the Age of Computer Hackers, to the House of Representatives, a bill that would preempt state data breach notification laws. It is currently undergoing review.
Also notable is a bill titled the Cybersecurity Information Sharing Act (CISA), which enables payment service providers (like Instabill) and merchants to share details of a cyberattack. After six years waiting, it passed on Oct. 27, 2015.
Advice to Merchants: Let Your Customers Know of a Breach Situation
Back in 1982, seven people in the Chicago area mysteriously died after taking Extra Strength Tylenol (it was later found the pills were laced with cyanide). Suspecting foul play, the Chairman of Johnson & Johnson, James Burke, pulled all Tylenol products off store shelves nationwide and proactively addressed the media.
The Tylenol issue in 1982 is certainly more extreme than the rash of data breaches over the last three years, but we admire Mr. Burke’s approach: He wanted U.S. consumers to know that J&J was being proactive at the mercy of one of its best products, and he was awarded for his honesty.
It was a classic case of short term pain, long term gain for Tylenol, and merchants should adhere to the same approach. Customers will no doubt appreciate it.
We’d Like to Know…
Were you or someone you know affected by a data breach? We’d like to hear your story. Please leave us a comment at Instabill.com.