With each passing day, it seems another company is hit with an issue that calls for public address. And at the top of that list is a breach in data security. The more organizations hit — Kmart, Home Depot, Jimmy John’s and Target — the more we realize it’s not a matter of if a data breach will occur, it’s when. The good news for future targets — we can learn from the online responses of those who have experienced the crisis first-hand.
For our purposes, let’s consider the varied responses between Jimmy John’s and Target in the potentially devastating data breach. Keep in mind, the goal here is not to dictate right versus wrong. It’s to consider the facts and decide if social media is a medium for effective crisis communication. Communicating via social media is always an option, but what are the effects?
On September 24, 2014, Jimmy John’s issued a statement regarding a possible security incident involving credit and debit card data at some of Jimmy John’s stores and franchised locations. The statement disclosed the data breach occurred between June 16, 2014 and September 5, 2014 affecting 216 stores.
As for assuring its customers the issue had been resolved, Jimmy John’s went on to share that third-party forensics experts were hired to assist with the investigation, the security compromise was contained and a list of preventative measures including installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third-party vendors. Identity protection was offered to customers and additional information was posted online at jimmyjohns.com.
Though they took the necessary precaution of issuing a news release and detailed information on their website, that was the extent of Jimmy John’s online communication. Congruent Facebook posts encouraged fans to follow them on Instagram and a Love at First Bite promotion.
Right or wrong, Jimmy John’s chose to own the data breach on their website, and also chose to limit social media to promotions and a way to positively communicate about themselves.
Target opted for a different route — perhaps due to the number of customers impacted by their data breach or a different philosophy altogether. Let’s look at the facts.
On December 19, 2013 word hit that between the dates of November 27, 2013 and December 15, 2013 Target was hit with a breach in data security resulting in stolen information including names, mailing addresses, phone numbers or email addresses for up to 70 million individuals. Though a hit to the company’s budget, costing $148 million, Target provided information to customers to help resolve the issue – both through the company website and social media outlets.
Online Target issued an apology to guests, offered free credit monitoring, and provided resources including FAQs on the data breach. Target answered questions including: Has the issue been resolved? How could Target let all this credit and debit card information get accessed? How can I be assured you are taking the steps to protect my information in the future?
Concurrently, Target introduced the topic through social media posts on Facebook from January 2–24, 2014 offering tips on how to further protect yourself, a letter from the CEO and free credit monitoring. Here are a few examples of their Facebook communication:
January 2: After an event like a data breach, scams seeking personal information are common. Here are tips on how to further protect yourself and steps we’re taking to help. http://tgt.biz/ABV
January 13: Because we value you as a guest, we’re providing all guests who shopped in our U.S. stores with one year of free daily credit monitoring, as well as a free credit report, identity theft protection and personal assistance from a fraud resolution agent. Here’s how to get started: http://tgt.biz/CRMO
January 13: As part of our commitment to guests and communities, we’re working with three trusted organizations — the Better Business Bureau, the National Cyber Security Alliance and the National Cyber-Forensics & Training Alliance — to advance public education around cybersecurity and the dangers of consumer scams. To learn more: http://tgt.biz/CSC
I’m not here to debate if Target or Jimmy John’s effectively communicated data breach security with their customers. I do, however, find the use and non-use of social media outlets intriguing.
But what does this mean? Jimmy John’s chose to restrict data breach communication to a news release and their company website. Perhaps because the data breach was not as far-reaching as Target’s, Jimmy John’s was able to keep their social media platforms relatively free of data breach information and focused on promotion.
On the contrary, Target utilized Facebook to offer support and guidance to all customers, whether impacted by the data breach or not. Could they have avoided communicating through social media? Possibly, but chances are customers would come to them with questions through Facebook. In this case, Target certainly took ownership of their data security breach and offered tools in an attempt to aid their customers.
Right or wrong, I’m not here to judge. That said, an apology, as issued by Target in the following message to their guests, goes a long way.
We truly value our relationship with you, our guests, and know this incident had a significant impact on you. We are sorry. We remain focused on addressing your questions and concerns.
A challenging issue to communicate, a breach in data security could happen to any organization.
How will you react if you are next?