Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Protecting Your Brand

Customer confidence is at risk when a breach occurs.

Stormy Weather
Customer confidence is at risk when a data breach occurs.

When TJX Corp. reported lower profits for the first quarter of 2007, CEO and president Carol Meyrowitz said "comparable store sales results in April were below our expectations, which we attribute to the unseasonably cold and wet weather across most regions of the country during the first half of the month."

Was she actually blaming April showers--not the biggest credit-card number heist in history--for disappointing sales at TJX discount stores T.J. Maxx, Marshalls, Bob's Stores and others?

But Meyrowitz's comment was not far-fetched.

"It's almost impossible to correlate a security breach to retail sales," says John Pescatore, a vice president at Gartner. Weather patterns, layoffs, expansion, fuel costs and yes, well-publicized security breaches--all of these affect a company's bottom line to varying degrees.

Indeed, it's safe to say that some of TJX's longtime customers will continue to shop at its stores. Yet others will view T.J. Maxx with suspicion for months or years to come, undermining decades worth of efforts to promote TJX's brands.

"Any breach has the tendency to dampen greatly whatever you are spending around your brand," says Kirk Herath, chief privacy officer, assistant vice president and associate general counsel at Nationwide Insur-ance in Columbus, Ohio. "I don't know if it cancels it out exactly, but for every dollar you spend on paid media, your negative, unearned media is out there as well."

"Customers will churn if they feel a company can't secure their data," says Larry Ponemon, founder of the Ponemon Institute, a research firm specializing in privacy and information management practices. "The customer translates bad data practices as lack of respect and thus may lose confidence" in any organization that can't keep information safe.

Case in point: Bank breaches and phishers posing as banks "may mean a slippage in online banking," where transaction costs are lowest and bank margin highest, says Ponemon. The bottom line and the brand are both affected--the consumer's view of online banking transactions as less-than-secure means they might choose to engage in more costly face-to-face transactions, while trust in a bank's brand has been also been undermined. According to a Ponemon Institute study, 36 percent said they do not bank online with two-thirds of those respondents citing the reason as fears or concerns about privacy. Of the 61 percent that said they do engage in online banking, more than half do not use automated bill pay or online cash transfer services.

In the case of TJX, it was widely reported that "auditors knew about these problems, yet everyone ignored the auditors," says Mary Monahan, an analyst with Javelin Strategy & Research. "Until [those with lax security practices] are punished, they are not going to change their behavior."

Trying to wrap a dollar figure around brand value--and the attendant drop in its worth if a security breach were to take place--can be extremely daunting. "We're quantifying what trust means," says Nationwide's Herath. "I'd say that if we have this conversation again in two years, we'll have quantified it even more."

One of the reports Herath relies on to help add the numbers is the Ponemon Institute's annual Cost of a Data Breach survey. The 2006 report calculated the direct and indirect costs incurred by a company at $182 per compromised record.

In addition, the survey considers "opportunity loss." "When you have bad press, you are not likely to get as many customers. Someone offers you a Marshalls [credit] card, and you are maybe thinking twice about that now," Ponemon says.


A Team Effort
Creating an incident response plan must be a collaborative effort.

The most effective incident-response plans--the ones most likely to minimize post-breach damage to brand or reputation--incorporate many points of view, not just IT's.

Members of an organization's public affairs, risk management, call center, human resources and legal teams, as well as representatives from the C-level, need to gather before an incident occurs to discuss possible effects on their divisions as well as strategies to respond to and contain a breach, says Ernie Hayden, CISO and manager of enterprise information security at the Port of Seattle.

If these relationships and plans are in place when a security breach occurs, "your response will be that much more effective and timely," says Hayden.

What's more, obvious though it may seem, organizations must adhere to the incident-response plan they've carefully crafted when something happens, plus test it along the way.

Kevin Mandia, president and CEO of Mandiant, an IT security consulting firm based in Alexandria, Va., agrees. Another common pain point is that "there is no high-level direction," no czar tapped to oversee that an incident response plan is adhered to in the event of a security breach.

Mandia says he has helped create incident-response plans for organizations ranging from Royal Bank of Canada to the Campbell Soup Co. While collecting information from staff in legal, IT, operations and various lines of business is a must, so is interviewing individuals one at a time. Employees who can speak freely about the work they do and how they perceive it intersects with others' responsibilities are going to contribute to an incident response plan that most accurately reflects how the organization truly functions.

"We don't have people's bosses sitting there, because it will influence the course of the interview," Mandia says. "We ask them, what are the things you are worried about [in the event of a security incident]? If the leak of medical records were their biggest fear, I'd ask them how they would know if that sort of data had been compromised. I'd also then ask the IT folks about the mechanisms in place to safeguard that information."


A Team Effort (continued)

Once the information is collected, a practitioner must piece it all together to form a big-picture view of an organization and its incident-response strengths and shortcomings, and devise a plan accordingly.

Including multiple points of view in the IR plan will help develop one that truly mirrors the organization both before and after an incident. Remember, lots of people within an organization--not just IT folk--will be cleaning up afterward.

About 55 percent of the dollar value of responding to an incident and its fallout are borne by marketing, as that group seeks to replace customers who've taken their business elsewhere, according to the Ponemon Institute's annual "Cost of a Data Breach" survey from October 2006. Meanwhile, Javelin Strategy & Research notes that that less than one in five respondents--out of 2,800--said they would continue to shop at companies that sustained data breaches; it's extremely costly to replace those customers.

Customer support shoulders another 34 percent, as it advises customers of the breach via email and paper letters and responds to questions coming into the organization's call center about the incident. Legal, risk management and audit groups bear about 11 percent of the cost, conducting their own investigations into the incident.

Total cost incurred by 31 responding companies that sustained a data breach ranged from $226,000 to $22 million, with an average of $4.8 million spent per incident, notes the Ponemon report.

--Amy Rogers Nazarov

One piece of good news is that only 0.8 percent of the time does data breach extend beyond notification; in other words, "992 people will get a notice [that their personal data has been potentially compromised]," Javelin's Monahan says. "The other eight will experience actual fraud." The bad news is that many more customers than those who actually must fight fraudulent charges are left with an unfavorable view of the company.

Banks may see their brand tarnished in part because customers don't always understand the relationship between merchant banks, credit card associations and retailers. The mud from a breach splatters on lots of different links in the payment chain.

The repercussions from the BJ's Wholesale Club breach in 2004 caused "a huge reputational hit for our institutions," says Bruce Spitzer, director of communications for the Massachusetts Bankers Association. "Customers [erroneously] tend to think that maybe the bank is at fault because they have to wait for new cards," he says, noting that banks not only absorb the cost of issuing new cards--which the MBA puts at about $25 each--but also the cost of any fraud that arises from abuse of that card number.

In April, the MBA filed a class-action lawsuit against TJX in U.S. District Court in Boston, seeking to recover tens of millions of dollars in damages. The Connecticut Bankers Association, the Maine Association of Community Banks and other individual banks have joined the suit.

"Is retailers' primary objective to protect customers or not?" Spitzer says. He hopes the suit will make "retailers finally wake up and admit they have a financial incentive to invest in better systems." Federal legislators such as Rep. Barney Frank (D-Mass.) may soon introduce bills that would hold retailers responsible for these costs; similar efforts are being discussed at the state level in Con-necticut, Minnesota and California.

Potential brand damage to organizations can serve as a lever to pry loose funds for new security projects that defend against data theft, IT professionals say. "Because we have been able to quantify it, we have had some very good experiences with selling security and privacy" to top management, says Nationwide's Herath.

Be aware, though, that while marketing might have a strong interest in security products' ability to protect brand, IT may well be thinking in other terms, like those products' scalability, effectiveness and price.


Damaged Goods
Dealing with a PR crisis is nothing new...unfortunately.

  • Medication
    Crisis In 1982 seven people died after taking Tylenol laced with cyanide.
    Response Johnson & Johnson recalled 31 million bottles and launched a PR campaign to inform the public. Ultimately the scare forced drug makers to introduce tamper-resistant packaging.

  • Crude Oil
    Crisis In 1989 the Exxon Valdez spilled more than 10 million gallons of oil, making it one of the most devastating man-made environmental disasters in history.
    Response Exxon was criticized for being slow to respond to the cleanup and forced to pay $5 billion in punitive damages.

  • Air Travel
    Crisis This year JetBlue travelers were stranded on planes for up to 11 hours after a winter storm hit the Midwest and Northeast.
    Response JetBlue's CEO apologized, offered refunds and ran full-page ads with an apology letter and a Passenger Bill of Rights.

  • Fast Food Chains
    Crisis Taco Bell food was the cause of hundreds of cases of e-coli in November 2006. Jack-in-the-Box had a similar e-coli outbreak in 1993 when four children died.
    Response Taco Bell temporarily closed 60 stores in the affected region and cleaned and restocked food.

  • Entertainment
    Crisis To protect copyright material, Sony embedded a rootkit on users' computers.
    Response Sony was forced to recall 52 CD titles.

  • Pet food
    Crisis Dogs and cats die after consuming contaminated food.
    Response Menu Foods recalled more than 200 products.

During product or process evaluation, it's necessary to consider the entire spectrum of the risk you seek to minimize. Brand damage is one measure, but so is the risk of incurring fines for things like failure to comply with PCI. Under PCI, credit card processing organizations that fail to implement specified procedures to keep data safe may be hit with costly fines; at the extreme, they may be banned from processing credit card transactions.

Both of these matter dearly to Beverly Magda, CIO of The Humane Society of the U.S. "We would rather put the money into securing our systems than in paying [PCI and other] fines, and losing the trust of our donors," she says.

While "it's hard to put loss of reputation into dollar figures, if donations were to go down after a security breach," it's a metric that could not be ignored, Magda says. Julia Wellman, senior member of the technical staff at Carnegie Mellon Software Engineering Institute's CERT program, considers the difference between governance--overseeing and ensuring the mission of an organization is being met--and management, which is more concerned with executing and implementing the things that need to be done to keep the organization operating according to its goals.

Ideally, both sides "work together to build and maintain a positive image in the marketplace," she says. "It's hard to build, and it's easy to lose."



First Phishing... Now Kiting

 A new form of brandjacking, called domain kiting, takes advantage of ICANN loophole. by Amy Rogers Nazarov

You're painfully aware that your organization's brand could take a big hit if your network defenses are penetrated and personal information is compromised.

However, your brand may also be tarnished if crooks pretending to be your company divert prospects from the Web domains you've purchased and sites you've spent countless resources building, or if they pose as representatives of your company on the phone.

Phishing is among the most egregious forms of so-called brandjacking. Domain kiting, also known as tasting--which takes advantage of ICANN's five-day period to repeatedly register for a free domain that may incorporate a well-known brand--is another popular form of brand abuse cooked up by the bad guys.

Any organization with licensed domain names must be vigilant in defending them from misuse, something Del Ross, vice president for distribution marketing for InterContinental Hotels Group's Americas division, knows all too well. Ross and six colleagues chase through cyberspace looking for those who help themselves to variants of IHG's well-known brands--Holiday Inn and Crowne Plaza Hotels--to bring a veneer of legitimacy to their Web machinations.

From the bogus domain www.crownplaza.com (note the misspelling), which steered would-be hotel patrons to a porn site, to intermediary sites (such as holidayinn-reservations.net) hoping to earn a percentage of an actual room booking, threats to IHG's brands--and its more than 3,500 registered domain names--crop up constantly, Ross says.

While Ross is not sure that customers would view IHG's brands in a negative light if they stumbled onto a rogue site, "I just don't think we want to take that chance. I can't imagine that it helps us, guests having that experience."

Kiting and phishing and their low-tech equivalents "all take a good brand and siphon traffic away," says Frederick Felman, chief marketing officer at Mark-Monitor, a San Francisco-based company that specializes in domain management, antiphishing and trademark-protection services. "These things interrupt a consumer's ability to trust," he says. IHG is among MarkMonitor's clients.

Organizations must continue to pay attention to low-tech forms of brandjacking, such as phone calls soliciting donations. Beverly Magda, CIO of the Humane Society of the U.S., says that educating would-be donors about the pitfalls of phone solicitations must be ongoing in tandem with online education efforts. If a caller says he's a Humane Society representative calling about your donation, yet "coming to you with a [full or partial] credit card number, it needs to raise a red flag," she says.

The good news is that some consumers are successfully separating the brands they trust from the tricks crooks deploy to pry loose private information.

Allison Fouts, a legal assistant from Reston, Va., says that a suspicious call from someone purporting to be from Amazon.com sent her straight to her computer, where she took several defensive measures, and her phone, which she used to report the call to Amazon's customer service.

"[The call] was the impetus I needed to change all my online passwords" and replace a credit card, she says. While Fouts opted against using Amazon for several months thereafter, eventually she did place another order with the e-commerce giant. What made her feel comfortable about going back? "Nothing bad happened, and the fear that it might wore off."


Just Admit Your Mistake

 Failure to take responsibility is a common response, but crisis communication experts say apologize... and fast.

It's among your worst nightmares.

Hackers break into a network you thought was well defended and steal sensitive customer data. Your CEO is in defensive mode on CNN. You're scrambling to respond as customers bolt, reporters call and shareholders yell.

Yet you and your company possess a powerful tool that can diffuse such a situation--and perhaps even burnish your organization's brand.

First, say you're sorry. Next, take responsibility for the breach and its fallout. Then take concrete steps to protect customers and harden systems.

"You can build a brand's credibility by behaving appropriately" after an incident, says Jim Lukaszewski, founder of The Lukaszewski Group, a firm specializing in crisis communications management. He adds that companies whose data has been compromised too often wait too long to act. TJX, he says, is a "classic example."

The parent company of discount retailers T.J. Maxx, Bob's Stores and others has been widely criticized as having waited too long to inform millions of affected customers of history's largest purloining of credit card numbers. TJX defends the one-month lapse between discovering the incident and alerting customers by saying that investigators asked it to delay announcing the theft. Yet as TJX appeared to struggle to get a handle on just how big the breach was, damage to its brands may have manifested partly in the form of decreased sales.

After a security breach, "there is a tendency [among companies] to wait and see," Lukaszewski explains. "Even as the situation turns more grave, there is a sense of denial that sets in: 'Anything we do will exacerbate the situation.' 'If we start talking about the incident, it will validate what people are saying about us.'"

In fact, inaction is the worst thing you can do, he says. "Whatever you do next, it will be perceived as your having waited too long." The key, Lukaszewski says, is act now, and act fast. You can do that in part by including a crisis communications strategy in your incident-response plan.

Some insurance companies are building the costs of crisis communications into their policies. Adam Sills, lead underwriter for Darwin Professional Underwriters' technology and information liability initiatives, says that his firm includes an estimate of the cost of crisis management consulting in a Web calculator that gauges the cost organizations might incur in the event of a breach.

According to the calculator (http://www.tech-404.com/calculator.html), if 5,000 customers' records are found to have been compromised, Darwin estimates about $25,000 just for the crisis management piece of the tab. There's also a line item for media management, such as the hiring of a public relations firm, and the costs of newspaper or other advertisements in states that mandate such communications.

Part of a complete crisis communications strategy includes engaging in a bit of schadenfreude and learning from the missteps of others.

"Look at what happened to your competitors who found themselves [and news of their breach] above the fold," says Julia Wellman, senior member of the technical staff at Carnegie Mellon Software Engineering Institute's CERT program. "Ask yourself, 'What would happen if we found our name in lights that way? Let's run through that exercise.'

"The main thing to do when you find yourself in that situation," Wellman adds, "is [not to] shirk and hide."

Nor to overlook the power of apology.

"Failure to apologize is a lapse of integrity," says Lukaszewski. "But the window of apology never shuts."

--Amy Rogers Nazarov


Dig Deeper on Information security policies, procedures and guidelines