Gregg Steinhafel's tenure as chief executive of Target came to an unfortunate conclusion this week when the retail chain announced that its leader was stepping down. Steinhafel's demise as CEO was not a direct result of the data breach that compromised the data of 110 million customers last December. Rather, it was the company's response to the data breach that likely created new questions about its leadership.
Three fundamental crisis response concepts might have helped Steinhafel stay at his post. The same lessons apply to any financial institution that finds itself dealing with a major data breach—and they could help the next bank CEO that faces a public relations disaster hang onto his job.
First, every company handling data requires a pre-planned customer response strategy in the event of a crisis. All companies that possess critical data and customer information should be aware that they may be subject to cyberattacks and plan accordingly. Response time is critical, as are prepared plans for mobilizing a practiced crisis team. Financial institutions should also plan customer response scripts, digital communications and social media strategies, media responses that can be edited to include specific facts and tactics for internal messaging and shareholder communications.
Customer response systems must be at the ready when a breach is announced. When call center agents have trouble answering factual questions, phone wait times stretch on and websites have no information easily available, customers won't remain customers for long. Messaging scripts should be shelf-ready with fill-in-the-blank specifics. Standing contingency staffing plans should be activated. Systems that monitor what customers are saying and measure the impact of companies' responses must also be in place.
Target's largest problem was its early release of inaccurate facts regarding the number of customers impacted by the breach. Target was quick to relay exactly what had happened—but its first version of events turned out to be wrong. Target initially announced that 40 million customers may have been impacted. That number grew exponentially as the investigation deepened.
It often takes several weeks for a clear picture of the facts of a data breach to emerge. Companies should avoid leaving customers hanging while they determine the exact nature of the breach, but they can delay releasing exact numbers or describe initial estimates or ranges. Those numbers will change. Financial institutions should remember that, regardless of external pressure to release information, the most important thing is ensuring that the facts it gives customers are correct and notifying the customers affected as soon as possible.
Firms can describe what they are doing to determine the facts of the cyberattack, tell customers that the breach has been closed, and let them know the steps the firm is taking to ensure that the customers are protected. In the absence of solid facts, financial institutions must lead with how they are handling the crisis and how they are protecting customers.
Finally, financial institutions in the midst of a crisis need leaders who have been through similar problems before. Their crisis management teams should include business leaders who have working domain knowledge of the problem at hand as well as people with financial, legal, regulatory and public relations expertise. Crisis teams should also reflect companies' organizational capabilities. For example, it is important to have human resources in the room, since someone may need to be fired as a result of the discovery process. A crisis will have implications for every business unit within a company.
Other aspects of Target's performance may have helped pave the way to Steinhafel's departure, including slower foot traffic and competition from online stores like Amazon. But none of these difficulties were as damaging to the store's brand as the cyberattack.
Data breaches are not a new phenomenon. They will happen again at Target, and they may well happen at any number of financial institutions. Should that time come, banks should be sure that they have prepared in advance. They need to communicate at the right time with every constituency, through every channel, and make sure that they are able to measure the results of their actions.
Michael F. Clement spent 28 years at one of the country's largest financial institutions and leads a crisis communications firm, Strait Insights LLC.