Have you heard about the latest retail data breach, this time impacting handbag and accessories purveyor, Vera Bradley? Don't worry if you haven't. After all, retail data breaches have become downright commonplace over the last few years, so they aren't usually front-page news anymore. The staggering statistics behind high-profile cases, both inside and outside of retail, could also be desensitizing consumers to smaller-scale breaches.
The Target data breach arguably set the standard for high-profile retail data breaches. In 2013, attackers covertly gained access to the company's computer network, stealing the financial and personal information of tens of millions of customers. Target's substantial brand awareness and size were enough to turn the event into a high-visibility nightmare, but the timing of the breach couldn't have been worse either, as it occurred during the holiday shopping season.
In my last Commerce Lens article, I led with the premise that most retailers aspire to be brands, not just places that sell other brands. It's a double-edged sword then, when retailers that achieve high brand awareness unwittingly become more accountable for any data security shenanigans. Target's hard-won brand loyalty, not just its size, may have intensified its post-breach blowback.
In an already-challenging retail environment, it can be difficult, if not impossible, to quantify the short- and long-term impact that a retail data breach has on any retailer's brand for a few reasons. First, the initial awareness of a breach usually only details the beginning of the story. Months-long waves of updates on scope and remediation procedures, capped by multiple postmortems in the media (all with a different spin) are not uncommon. In the meantime, the fast pace and seasonal nature of retail makes it difficult for retailers to tease out which dynamics cause their sales numbers to soar or slide. Second, there is no universal standard procedure for handling retail data breaches from a PR and customer-relations standpoint. Retailer-specific reaction times, notification, and resolution procedures can vary widely. Finally, consumer behavior is increasingly mercurial, and brand loyalty is fleeting, even without a retail data breach event.
It may be difficult to measure the long-term impact of a data breach on retailers' brands, but there are steps that can be taken to soften the blow beyond the required legal and financial procedures:
- Communicate good news and bad news through the same mediums. Although many retailers that have experienced data breaches are active on social media, corporate press releases have been the medium of choice for some to issue breach notifications. Transparency is a real hot button in retail these days, and abruptly switching communication channels during difficult times is a sure way to compromise it. If the first place your customers hear bad news is in the news, you've already cast a shadow of doubt and suspicion on any communication that you generate from that point forward.
- Keep it simple and stay out of the weeds. It may be tempting to load up on jargon and explain the technical minutiae leading up to and following a data breach, especially if it seems to shift liability. Conversely, in the absence of details, providing vague references to foreign actors and as-yet-unknown consequences can have the effect of generating even more anxiety than inundating customers with specificity. Your customers want to know how the breach impacts them, who to contact if it does, and assurance that they can safely shop with you again.
- Err on the side of adoption and accountability. In October last year, the highly anticipated EMV liability shift in the US literally transferred responsibility from financial institutions to any merchants that hadn't migrated to more secure EMV chip-and-pin card readers. Retailers that drag their feet about adopting the EMV protocol are asking for trouble, and software providers and others may have a role to play in various security-compromising scenarios. Regardless, you should be prepared to take accountability, if only because your name is on the building. Don't confuse who is to blame with who might get the blame in a communications vacuum, and resist any temptation to point fingers at the customer. Many retailers' data-breach announcements lecture customers on "remaining vigilant" and reviewing credit card statements while skirting their own culpability. Start the conversation early in the game, tell customers what you're doing about the problem, and be willing to fall on your sword.
Although data breaches can be seen as inevitable in retail, advances in technology are promising to close many of the gaps that existed only a couple of years ago. Retailers that invest in available security technologies early on, and those that take accountability and communicate clearly when things go wrong, will have a powerful brand protection arsenal at their disposal and minimize the damage if a breach does occur.