Like many people, I shop regularly at Target. It’s one of my favorite stores. So when I first heard news of the data breach they’d experienced, my heart sank. I am a Target Red cardholder, and had used my card to shop there three times during the time period identified. 

And then I learned about the full scope of the attack – that it affected shoppers who used ANY credit card at Target during that time, and involved more than just information about their card numbers. I saw many people panic, and agreed that if I had used my debit or another card there, I would have been canceling it immediately. 

From the breaking of the news story right up through the letter I received as a cardholder this week, Target has done a number of things – some good and some questionable – that affect their reputation. While law firms have different concerns and vulnerabilities than a consumer store like Target, mistakes, oversights, and crises can and do occur and we can learn from Target’s handling of the data breach. 

At the heart of the issue is the idea of trust. When you shop at a store and give them your credit card, you are saying that you trust them to handle your associated information with care and strong security. And that’s true wherever you send your business – any time you work with someone as a client, you are saying that you trust that person to take care of your needs, whatever they may be.

When a breach happens, whether it be a data breach like Target’s or another kind of breach, trust is broken (or at least bruised), and people question their relationship with that retailer or service provider. How you handle the aftermath will determine whether someone continues that relationship with you, or goes elsewhere. 

Let’s take a look at what Target did (or didn’t do) following the data breach (here’s an excellent timeline from the WSJ): 

Brian Krebs Breaks the News

Brian Krebs initially breaks the story on his blog, KrebsOnSecurity on December 18th that the retailer has experienced a breach.  I note this as significant because the announcement comes from a source NOT inside Target itself. It took Target a full day to acknowledge that the breach had happened after the story broke. 

For me, this is where the initial break with trust happens – we know that in today’s world, hackers and data breaches are always going to happen, and we just do our best to make sure that we are as secure as possible. No company is going to be perfect. 

But when there’s a problem, I don’t want to hear it from a third party. I want to hear it directly from the source, the moment that they know about it. Otherwise, it looks like they’re trying to cover up a mistake, or keep me from knowing information that could seriously hurt my finances and my credit. I’m no longer fully informed, and that makes me wonder what else they’re keeping from me. It also makes me think that they weren’t prepared for such a crisis to occur, and perhaps they won’t be able to adequately deal with the aftermath. 

Lesson for Law Firms: The lessons here extend beyond just situations where a mistake may have been made. Perhaps there is bad news about a case for your client, and you just don’t want to disappoint them. Or perhaps there has been an issue within the firm itself (be it client-related or even as simple as an improper tweet going viral). 

The key is to get out in front of the story – I’m not talking about accepting fault (though there can be a lot of merit  to that, depending on the circumstances). But it’s important to acknowledge that a problem exists, that you know about it, and are working to find out the source as well as resolve it. Whenever there is an issue that causes questions about trust in your firm, or trust in your attorneys, the important thing is to be as transparent as possible, so that you give your clients a reason to keep believing in you. 

To avoid being behind the eight ball from the beginning, it’s essential to have a crisis plan in place…before a crisis hits. There are many, many resources and methods for doing this, but those firms who have already considered this are in far, far better shape when something happens than those without a plan who end up scrambling (and usually making more mistakes or causing additional bad will). 

Target Creates Multiple Channels to Address Concerns

One of the things that Target did right was to create a number of ways that concerned customers could reach out to them – it’s debatable as to whether they did this in a timely-enough manner, and whether those channels were equipped to handle the sheer volume of consumer concern, which is a secondary issue we’ll look at. 

The Good

  • Target created a phone number specifically for customers to call in with concerns about the data breach. 
  • They created a subset of their website dedicated entirely to the issues surrounding the breach, including all of their official communications, answers to questions people might have, links to credit reporting agencies, messages from their CEO, and other related stories. 
  • They sent emails and paper mail to their Target Red cardholders and other customers. 
  • They shared information about the breach and their response on their Facebook page (beginning December 23rd) and on Twitter (beginning December 19th), Interestingly, neither their company page on LinkedIn or their Google+ account addresses the breach at all. 

Lesson for Law Firms: Find out where your clients are and how they want to hear from you – do it now, when you’re not in crisis mode (this goes back to the importance of having a plan). Then, if and when something happens, you already know how to contact them and you’re not scrambling to keep up. 

This piece of the puzzle is about managing the relationship, and helping to repair any damage for the future – you’re showing transparency to your clients and giving them multiple avenues to voice their concerns. Importantly, you want to make sure that the channels you’re using are the ones that your CLIENTS want you to use, and not the ones you’re most comfortable. I’d wager that in the majority of cases, you will need to pick up the phone and call your clients directly, or arrange face-to-face meetings to discuss the issues at hand, and how you propose to deal with them. 

A good rule of thumb is to think about your reaction if you were on the other end of the situation – how would you want it to be handled? Would you want a phone call? A meeting? A press release? A general email? What would make you feel comfortable enough to keep doing business in the face of a problem? Then, do that. 

It will depend on the medium where the issue occurs, too – for example, if someone tweets out something offensive (accidentally or on purpose), Twitter and other social media will be the best place to respond. If an internal breach happens with client information, while you may address it in some form on social media, your primary means of communication here should be direct with the client. 

The Bad

  • Target’s phone number set up for breach concerns was quickly overwhelmed by the call volume, and they were left scrambling to expand their call centers dedicated to the issue. 
  • Delivery of messages was not consistent (I’ve received a number of emails and one letter, while my mom, another card holder, only received a letter this week, several weeks AFTER the breach). 
  • Many of the messages were delivered days after Target’s official announcement, which was still days after they initially learned of the breach.

Lesson for Law Firms: Basically, the lesson here is plan, plan, plan. It was clear that Target either didn’t have any crisis plan in place, or that their plan hadn’t accounted for the scope of the breach that happened.They were ill-equipped to deal with the numbers of calls and website hits they got, and were left trying to make sure that they had enough support, rather than focusing on the actual issues. 

Staffing is an important part of any crisis communications plan – identify who is the spokesperson for the firm (if there needs to be a firmwide response to an issue, and not just from individual partners), who is responsible for dealing with calls and emails, and the timing that staff need to be there to deal with inquiries. Know in advance whether the firm will want to secure the services of a crisis communications firm, and have that relationship in place BEFORE an issue arises. The more processes are in place when everything is going well, the more dedication you can show to the challenge in question when something arises, instead of racing around to meet the basic needs of your clients. 

Timeliness and speed is also important when a major crisis occurs. Obviously, you need to have the right information going out, but when someone’s trust is broken, they will want to know right away what you’re doing to fix it. That’s where planning comes in as well – when you’ve pre-identified the decision-makers who will need to be involved in a crisis (those approving press releases, speaking with media, etc), you can mobilize them as soon as you need to.

Target waited an entire day to confirm the story, and their Facebook posts took another four days to start. They never posted at all to LinkedIn about it, where they have over 200,000 followers. When a major issue occurs, leaving too much time before making an official announcement allows for rampant speculation and panic to occur – planning will help to avoid this. 

Incomplete Information

Another of the things Target did wrong was not properly managing the information that was coming out about the breach.  

  • Initially, they said no PIN information was compromised, but later they revealed that it had been. 
  • USA Today recently reported that Target had been warned about the danger of a breach as many as two months before the breach occurred. 

Since I don’t know what conversations took place internally there, I can only speculate that there are two possible reasons – first, that Target had been advised to only reveal that which was absolutely necessary to avoid opening themselves up to litigation, or that they didn’t know the full scope of the breach during the earliest part of the investigation (or a combination of the two). 

Lessons for Lawyers: Here again, it’s about getting out in front of a story. People will always ferret out the truth of what happened (if the story is big/juicy enough), so you want to make sure that if you’re the subject, the information is always coming from you and is as complete as possible. 

Target Solutions

And finally, let’s look at what Target offers as solutions to allay its customers’ fears, and help restore the broken trust in their relationship with them: 

  • Accelerated investment into chip-enabled technology, which is more secure. 
  • Reassurance about fraud on Target Red cards. 
  • Reassurance about customer liability for fraudulent charges. 
  • Credit monitoring. 

These solutions look at the things that customers are worried about in the wake of the breach – what will happen to my credit? How will I know if I’m a victim? Will I be liable for the charges incurred? How will you prevent this from happening again? 

While I’m sure there is also the question on customers’ minds of "how could this happen in the first place?" these points address the main concerns that customers have, and show that Target is in tune with what their worries are. They show that they’re serious about making things right, and serious about making sure that it won’t happen again. 

Lessons for Lawyers: While we all know there can be some liability in saying "I’m sorry" in the face of a crisis, sometimes an apology goes a long way in smoothing over the relationship. Most people understand that things can go wrong, and mistakes can be made, and accepting responsibility is the first step in acknowledging someone else’s pain. 

The next step is to show how you will fix that, and finally, how you will prevent it from happening again. While it’s impossible to imagine every possible scenario for what might go wrong for a firm or in an individual matter, there are broad suggestions you can put in place as part of a planning process that will allow you to empower individuals within the firm to make the decisions that need to be made at the speed in which they need to be made.  The partners should be in sync about the extent the firm is willing to go in the face of a crisis to rectify it, and fix its reputation with clients and within the market. 

As I indicated earlier, having a crisis plan in place is an essential part of being ready to face any crisis that may come along, big or small. The time to do that is now, when you’re not facing an issue. Although law firms may not face the same concerns as a consumer retailer like Target, there are big lessons to be learned from their mistakes and successes in this recent breach. 

Does your firm have a crisis communication plan in place? What would be some of your tips?