Data breaches seem to have established themselves as one of the newly-established facts of life in the early 21st century.
Experts have started telling peopleOpens a new window to just assume that their personal information has been compromised. Probably multiple times. If you have a Social Security number, apparently you should just expect that it has made its way around the Internet.
As with so many aspects of this brave new world, the big data breaches of Equifax and Capital OneOpens a new window (147 million and 100 million people affected, respectively) have highlighted the shortfalls of what we previously took for granted. That’s true of general privacy, sure, but also of the readiness of big companies to deal effectively with tech issues they were too ill-equipped to avoid in the first place.
Reactions from the companies to the data breaches — which themselves are pretty darned bad, but let’s extend the patience required of massive security adjustments — have been a master class in what not to do after a public embarrassment (and abdication of corporate trust). When it comes to demonstrating corporate responsibility in a tech-heavy world that already alienates many customers, Capital One and Equifax have both come up seriously lacking.
Let’s review some basic precepts of corporate responsibility that every company should instill in its employees, starting with the very top:
Be honest about what happened
So you screwed up. Okay. The good news is that most people have a reasonably generous ability to forgive. Especially when it comes to new learning curves (again, patience). But the first thing you have to do is come clean about what happened. Completely clean. That means being clear and upfront about what happened. Don’t sugarcoat. People are smart enough to see through a disingenuous statement. Especially when it’s as absurdly apparent as Capital One’s.
After the data breach became clear, the company released a statementOpens a new window that was intended to alleviate some of the concerns over what information was compromised. In the statement, the company said: “No bank account numbers or Social Security numbers were compromised.†It continued: “Other than about 140,000 Social Security numbers†and “about 80,000 linked bank account numbers of our secured credit card customers.â€
Nothing was compromised except for the things that were compromised, in other words. This is laughable, but let’s do a quick breakdown of what’s wrong, because it’s even slightly worse than it might appear at first glance: This statement gives the impression of leading with a lie. Because it goes on to show the first clause to be inaccurate.
But it gets worse by dismissing the real consequences for those 140,000 and 80,000 customers. For them, a statement like this negates their nightmare; a corporate smack in the face. A basic training session in the first lesson of corporate responsibility could have avoided this.
Don’t make false promises
Following the Equifax data breach, the company reached a dealOpens a new window with the Federal Trade Commission (FTC) to extend to its affected customers either a free credit monitoring program or a one-time cash payment of $125. But last week, the FTC said that in all likelihood, the company won’t be able to live up to its cash payment promise for all of the customers who signed up for it.
Turns out there was a cap on the total payout amount that the company could be expected to pay, and it underestimated the number of people who would opt for the cash payout instead of the credit monitoring.
Now, I was not a fly on the wall during the negotiations between Equifax and the FTC. But presumably a company representative was present and looking at the bigger picture, and one of hers or his main concerns should have been whether the company would be able to make good on what it committed to.
If a company can’t come through with its mea culpa, how seriously can customers expect to take its promises to make sure the same kind of breach doesn’t happen again?
Which is why, in the end, corporate responsibility makes good business sense. No one wants to throw their lot in with a liar or a cheat. And even if your company isn’t one of those things (which, come on, it isn’t), slipping up on these basics can make it come across like one.