Zappos Is Giving Us a Lesson on Managing a Data Breach
We’ve written about the mechanics of dealing with data breaches on this blog several times before, but Zappos, the Amazon-owned online shoe and apparel retailer, is giving us a great real-time lesson on the subject that everyone who may ever have to deal with the issue should look to for guidance. There is a lot to be learned.
Zappos has built its reputation around, and owes its huge success to, providing an exceptionally high level of customer service, including a 365-day no-questions-asked return policy. Zappos customers, this blogger very much included, really feel that their satisfaction is the retailer’s top priority and there is nothing to test the validity of this belief as a confirmed breach of sensitive customer account data. But as I said, Zappos is meeting the challenge with flying colors.
Crisis Management Lessons from the Zappos Data Breach
Zappos announced the data breach in an email from founder and CEO Tony Hsieh to all of the company’s employees that was also published on the retailer’s blog for the whole world to see. This email deserves close examination, as it should be used as a crisis management template by everyone who finds his company in a similar predicament. Let’s do it.
Lesson 1: get everyone involved. By addressing all of his employees, Hsieh makes it clear to both his own organization’s staff, as well as to the outside world, that this is an issue that is the responsibility of everyone within his company to help dealing with.
Hsieh begins his email thus:
Please set aside 20 minutes to carefully read this entire email.
Lesson 2: make the gravity of the situation immediately clear. It is a short email that takes a few minutes of careful reading to get through, but Hsieh is asking that employees spend much more time on it. Why? Because the issue is critical and he wants everyone to understand that and give it some thought.
Then the CEO tells us what took place:
We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation.
Lesson 3: get straight to the point and tell it like it is. Once you’ve got everyone’s attention and made it clear how important the issue at hand is, the only sensible way to proceed is to describe the matter clearly and concisely. Hsieh does just that.
Now Hsieh tells us that he is not allowed to provide specific details, but adds this:
THE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.
Lesson 4: don’t overblow the positive aspects (if any). The problem is huge and you’ve already made that point clear. Now, if there is anything that is positive about the story, tell the facts, but don’t make it sound as if it is equally, never mind more, important than the bad news. Doing so would weaken the message of urgency you are sending. That’s also why in his letter to Zappos’ customers that follows the one to his employees, Hsieh refers to this aspect of the story as “the better news,” not a good or positive one.
Hsieh finishes his email in this way:
The most important focus for us right now is the safety and security of our customers’ information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We’ve already reset and expired their existing passwords.)
Lesson 5: reiterate your commitment to solving your customers’ problem and say what you are doing about it. You need to look at the issue through the eyes of your customers. They don’t care what your company is going through or how much the cleaning up process will cost you. The only things your customers care about is how big the damage is and what you are doing to protect their interests. That’s what you should be telling them and that is precisely what Hsieh has done.
Then Hsieh attaches the email that his company will be sending to its customers, which informs them of the data breach and tells them what the company has already done to remedy the issue. The letter also asks that customers do the following:
PLEASE CREATE A NEW PASSWORD:
We have expired and reset your password so you can create a new password.
Lesson 6: tell your customers what they need to do. As your customers’ accounts are now compromised, new log-in credentials need to be created. Make this process as simple and straightforward as you can and clearly tell your customers what they need to do. Again, Zappos has done just that.
The letter provides a link to a page where Zappos customers can go to for updates and also informs them that:
We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)
Lesson 7: if your customers will be inconvenienced in some way, inform them beforehand and explain why. The worst thing you could do, if things started working differently from the way they used to, would be to keep customers in the dark as to the reason. That would be a sure way to provoke a torrent of negative publicity in the form of angry tweets and comments on the news stories covering the event. So if your customers will be seeing changes in the way you communicate with them, tell them what they should be expecting and why (and make sure there is a good reason for it!).
The Takeaway
Bad things do happen and data breaches are certainly no exception. Your customers understand that and will give you the benefit of the doubt, if you do suffer a breach, unless you’ve been egregiously negligent in protecting their information. Your response to the crisis will be the only thing that determines whether the issue is resolved with minimal damage and inconvenience to your customers or it deteriorates into a PR disaster.
Zappos is giving us a lesson on how to do this properly and we should all be taking notes.
Image credit: Zappos.
How Scammers Stole $10M from the Credit Cards of 1.3M Americans
PIN vs. Signature Debit: Which Is More Secure?
I agree, Zappos has delivered a best-practice for how to handle data breaches.
But I worry that while billions are spent trying to prevent big disasters, no one is worried about the thousands of small breaches that occur every day as contact center agents commit various types of fraud with customers credit card information.
It happens all the time, and though you rarely read about people getting caught, the stories are out there: http://www.pcworld.com/article/227190/netflix_fires_call_center_worker_for_stealing_data.html
http://www.youtube.com/watch?v=hqO7i1s3-2g&feature=player_embedded
The maddening part of this is that it is unnecessary. It is not at all difficult to process customer credit cards without ever seeing or hearing the information. Customers can use their phone keypad to enter their information directly into the CRM or even better, right into the payment gateway. The latter approach means that the most sensitive of the customers PII is never even stored at the company. Both approaches reduce PCI Scope. http://cardnotpresent.com/library/default.aspx?id=498&__taxonomyid=97
While we need to direct resources towards preventing data center breaches because of the havoc they wreak on customers and the PR disaster that follows, individual customers who have had their identities stolen and accounts compromised wish we would have been as diligent putting controls in place to protect these more mundane transactions.
Dennis Adsit,
It is true that small-scale data breaches have just as big cumulative impact as the better publicized Zappos-like events. You are right, there is a lot to be desired from the payment processing technologies used today.
Zappos is a great company and they’ve proved it with the way they’ve handled the data breach. A couple of months on, no one even remembers it, which is how you want these things to be.
Zappos did a really good job at being open about disclosing what took place and taking actions to get it resolved quickly. It’s a great company and they showed it.