IAPP - Trust is Terrible Thing to Waste

Trust is a Terrible Thing to Waste
How to Use Communications to Protect Reputation And Advance Privacy Objectives

The Panel
Rosetta JonesHead of Issues ManagementVisa Inc.
John BerardPrincipalCredible Context
Joe CarberryPresident, Western RegionThe MS&L Group
Dave SteerDirector of MarketingCommon Sense Media

I. The state of trust
John Berard, Credible Context

A formula for success
Security + Privacy + Performance = Trust

What the data say

We spend a lot on security

Businesses are substantially increasing their expenditure on security software, despite the economic slowdown.
Gartner (2008)

Finding #3. Yet far fewer executives are
actually “cutting security back”. And among
the half or less that are taking action, most
are taking the least dramatic response.
Global State of Information Security Survey
(PwC, CIO & CSO Magazines 2010)

We talk a lot about the money we spend.

Google “IT security spending” and you get 47 million results.
Bing it and you get 36 million results

We spend a lot on product performance.

Federal research & development totaled
$150 billion in 2007.

$225 billion in annual corporate research & development spending in the U.S.
Business Roundtable 2010 CEO Survey

About 200,000 new products introduced globally each year.

We talk a lot about the money we spend.

Bing “new product research and development” and you get 2.2 million results
Google it and you get 73 million results

We spend a lot on privacy.

Significant investment in privacy
Technology
Compliance monitoring
Data collection & handling procedures
Training

We DON’T talk a lot about the money we spend.

We allow our story to be told by failures.

Since 2005, the Privacy Rights Clearinghouse says that 350 million individual records have been breached.

In the last year, according to the Identity Theft Resource Center, 6.3 million records were affected in 218 breaches.

The business effect of misuse
It costs $6.6 million on average when an organization suffers a data breach, and more than $200 per compromised record, according to a survey conducted by the Ponemon Institute.

Just as with security and performance, we can get a return on our privacy investment.

The nature of online privacy
Control, not anonymity

Reflected in the percentages
About half of us Google ourselves
That’s twice what it was a few years ago
But only about 3 in 100 do it regularly
60 percent of us are not worried about the volume of online information about us
More than half of us Google others
Pew Internet & American Life Project

Microsoft’s Boyd put it this way:
“When they feel as though control has been taken away from then or when they lack the control they need to do the right thing, they scream privacy foul.”
Witness: Facebook, Google

Consumer’s view
We care greatly about privacy
We don’t do much about it
Pew, too

This is the opening for communications
More than managing risk
More than damage control
Adding an accelerant to the formula for success

Public value of the investment
Communications is the key to unlocking a market return on the investment already made.

The first question to ask is:
Who are you?

II. When Trust is Broken
Joe Carberry, The MS&L Group

What we’re talking about
How should I respond if/when data is misused or stolen?
Current Public Environment
Managing Through Crisis
Case Study Exercise

The Environment

What we’re up against…

The Risk
Electronic data widespread in every industry
Hundreds of publicly reported breaches; many more not disclosed
The number of breaches continues to increase year-over-year
Only 36% of C-suite confident they won’t suffer breach *
Cost of breach now $6.6 million *
As more and more business is conducted and recorded via electronic means, risks related to data and privacy will increase.
*Ponemon Institute

The Point?
Data misuse/theft not question of “if” but “when”
Crises often happen in full view, in real time – with significant impact
More at risk in a data breach than just data

Bottom Line
“A promise must never be broken.”
- Alexander Hamilton

Managing a Breach of Trust

What Makes a Crisis?
Can be triggered by various kinds of events:
Operational failures
Malfeasance
Human error
Natural disasters
Business set-backs
Competitor or third-party attacks
An issue becomes a “crisis” when the organization’s business prospects are threatened in the eyes of its stakeholders
You do not define “crisis” – someone else does
Crisis rule #1: somebody always find out. Always.

A Crisis Subtracts Value
Crises undermine stakeholder confidence in an organization:
Short- and long-term growth potential
Sustainable return on capital
Quality (focus) of management
Ability to manage risk to the business
Source: Adapted from McKinsey

Managing Risk
Legal Risk
Patchwork quilt of state and federal regulations
Litigation exposure
Protection: Sound legal counsel
Operational Risk
Validate and comply with industry standards (i.e., PCI DSS)
Work with appropriate vendors, technology
Protection: Ongoing diligence, best practices
Reputational Risk
Reputation impacts business (customers, employees, suppliers, investors, etc.)
Reputational risk often overlooked
Protection: Preparation, established crisis protocols
*Ponemon Institute
** Harris Interactive Poll

Who Cares?
43
Customers
SalesChannel
Investors
Organization
Supply Chain
Policymakers
Local Community
Employees
On which stakeholders do you rely for success? What do they think?

What Can You Do?
Be Prepared
Success proportionate preparation
Activate crisis response at first sign of exposure
Move Quickly
Early and honest communication
Someone else shaping news robs you of control
Take Action
Work to resolve underlying issue
People perceive data as “theirs”, not the company’s -- demonstrate stewardship
Individual should remain the “north star”
Be Responsible
Facing fear and suspicion – respond with transparency and responsibility
Consumers will forgive mistakes, but failure to act responsibly.

Keep in Mind
Taking Responsibility
is not the same as
Taking the Blame

The Message
What stakeholders generally want to hear:
You’ve stopped the bleeding Make sure the problem is no longer occurring.
You’re making amendsTake steps to address the impact among affected parties (not the same as admitting guilt).
It’ll never happen againTake steps to ensure similar issues don’t happen in the future.

Crisis Protocol

Stage 0: Preparation
Risk Assessment
Early Warning System
Crisis/Situation Protocol
Monitoring (especially digital)
Objective: Prepare for Action

Stage 1: Crisis Breaks
Confirm viability of issue, pertinent details
Assemble a Crisis Response Team
Put in place tracking tools
Objective: Assessment & Strategy

Stage 2: Rapid Response
Establish “War Room”
Identify impacted stakeholders and expectations
Disseminate info to stakeholders quickly, frequently
Correct inaccuracies quickly
Manage digital impact – address contagion
Objective: Take Control

Stage 3: Ongoing Crisis
Story will evolve
Plan for additional challenges
New information
Critics
Catalog business remediation steps
Countermeasures
Objective: Focus on Solutions

Stage 4: Post-Crisis
Understand impact on stakeholders
Explore business changes related to situation
Examine tactics to rebuild reputation
Conduct debrief; identify areas for improvement
Objective: Rebuild

Case Study Exercise

The Environment
Trust of large corporations is low
Security is pervasive issue in news media
Lots of online chatter about data breaches
Half of consumers cite privacy/security as a top concern
Legislators eager to protect consumers

The Situation
XYZ.Com is a major online retailer
The company has experienced a data breach
Tens of millions of accounts; three years
Payment information stored in violation of PCI standards
Customers’ names, card numbers and expiry dates involved
Forensic investigation underway; external auditors
US Secret Service investigating
Card companies are aware; spotting fraud patterns

Financial Institutions
Suppliers
Customers
XYZ
Online Community
Policymakers
Stakeholders
Employees
Shareholders
Law Enforcement

Your Challenge
Competing stakeholder needs
US Secret Service requesting delay in public disclosure
Financial institutions want all available information, ASAP
Federal legislators have called for immediate disclosure of all breaches
Polling data show consumers want disclosure, but less likely to do business with breached organization
30 state statutes require immediate disclosure to impacted consumers
High risk associated with disclosure
Potential for brand damage with disclosure
Litigation risk of disclosing
Broad consumer disclosure drives customer services costs – at XYZ and associated parties (banks)

The Wall Street Journal calls; they have the story...
What do you do?

Your Response
Who is involved? Who is most impacted?
Who should be at the table internally?
What do you do first?
Do you disclose publicly? When and how?
What should you say?
What business changes do you recommend to management?
What can you do to restore trust?

Remember…
Misuse/theft of data creates risk
Breach reduces trust
Lower trust impacts brand/reputation
Tarnished brand/reputation harms business
Crisis response should be well planned, aligned
This is not about “spin”

Rahm Emanuel…
“You don’t ever want a crisis to go to waste.”

QUESTIONS?

III. Making Your Case
Rosetta Jones, Visa Inc.

What is Visa?
What We Are
What We Are Not
Global payments technology company
Transaction-processing network that connects cardholders, merchants and financial institutions
Credit card issuer
Lender
Exposed to consumer credit risk
Payments technology company that helps power the global economy.

Statistical Overview
Visa Inc. is the world’s largest retail electronic payments network, with more than $4.4 trillion transacted on our payment products over the four quarters ended Dec. 31, 2009.
Total Volume*
*
Visa Cards
1.8B
16,100
1.6M
ATMs***
Financial Institution Customers
Visa Inc. Operates the world’s largest retail electronic payments network*
$2.8T
$4.4T
Payments Volume
Total Transactions****
Statistical data in U.S. dollars; ATMs, financial institutions and cards based on four quarters ended Sept. 30, 2009.
Excludes Visa Europe, unless otherwise noted
*Based on payments volume, total volume, number of transactions and number of cards in circulation. Figures are rounded.
** Includes payments and cash transactions.
*** As reported by client financial institutions and therefore may be subject to change; includes merchant outlets and ATMs in the Visa Europe territory.
**** Includes payments and cash transactions.
62B
Visa Confidential

Payment Security = Data Privacy
Cash Perceived Safest at POS
Privacy/no personal information cited as leading reason
Even those very comfortable with emerging technology only give mobile phones a score of 4.2.
I’m going to read you some ways you can pay for things at a store and please tell me how safe you think each form of payment is on a scale from 1 to 10 where 1 is not at all safe and 10 is very safe…
69

Integrating Security….
Print advertising

Brand advertising

Client Marketing

Corporate Social Responsibility

Debit Breach Response
Visa debit is fastest growing product
An integrated response program that included advertising, PR, pre and post campaign tracking, and data analysis
“Security breaks could curtail debit card use….”
March 13, 2006

Security is Visa Asset
By a large margin more cardholders view Visa as a part of the solution on the issue of fraud than believe it is part of the problem.
Visa Job Approval
Total Approve Total Disapprove Strongly Approve Net Approve
Thinking specifically about Visa, from the same list of issues please tell me whether you approve or disapprove of the job Visa is doing to handle that issue…
Highlighted Data Slides
75

Top 109 List
1
Listen. Ask questions of key internal influencers about fears, opportunities, internal product development.
Get smart. Know who’s saying what about you outside the company and the vulnerabilities inside the company.
Start with the bottom-line; demonstrate growth opportunity or barrier to growth that can/should be addressed.
Use reason, not passion. Only the emotion will be heard.
Be the voice of the customer.
Make it objective -- DATA, DATA, DATA.
Bring the company along.
Use the experience of the dead bodies that have forged the privacy path before you.
All else fails, fear works
2
3
4
5
6
7
8
9

IV. BUILDING TRUST
Dave Steer, Common Sense Media

What we’re talking about
How do I market trust and privacy?
Why privacy is important to marketers
What you can do to make trust and privacy a differentiator

Why is trust so important?

First, a question…
WHAT ARE THEY DOING TO BE
MOST TRUSTED IN PRIVACY?
Source: TRUSTe/Ponemon 2009

Sometimes there is tension between marketing and privacy people
“I just want to be able to better target our message to the right consumer”
“This will make for a better customer experience since they’ll only see what’s important to them”
“Telling them about our policies is a distraction. It should be about our product benefits.”

But trust is vital for marketers.
Trust = Brand Advantage
Privacy creates an opportunity for a trusted relationship with consumers which enables companies to differentiate their brands

“The Great Trust Offensive”
“…trust is the number one driver of any brand at the most fundamental level.
We buy what we trust and keep buying; familiarity and trust are big, big drivers of loyalty and brand value.”
Andy Bates, CEO, Interbrand

But with privacy, it’s complicated

Which is why most companies play defense
“I can’t help noticing that more and more technology companies are exposing people’s information publicly and then backpedaling a few weeks out.”
danahboyd, Harvard Berkman Center

Building trust

Brands focus on building credibility
The Credibility Lifecycle
Source: Stanford, B.J. Fogg, 2002

A ‘trust lens’ of messaging & programs
Reassurance: Show the protections that are in place, the company, what others say, etc.
Education: Enable people to protect themselves, show what you are doing
Support: ‘Being there’ when something goes wrong.
Source: Stanford, B.J. Fogg, 2002

So, how can you build trust?

1. LISTEN TO your customers and embrace two-way communication
The proposed Facebook privacy policy received thousands of comments

2. Have a clear, compelling message
Start by answering these questions…
Who is the target audience?
What is your single key message?
What is the benefit of your privacy program?
Why should they care?
What are the barriers to them understanding your message
The toughest part is balancing simplicity with
transparency

3. BUILD privacy messaging into the EXPERIENCE
A typical customer experience
What privacy questions will they ask?
When will they ask?
How can you reassure, support, and educate?

4. Educate, educate, educate
About safe, responsible BEHAVIOR
About safe uses of your PRODUCT

4. Safe, responsible behaviors…

4. PRODUCT safety

5. Tell people what you’re doing to protect them

Summing it up
Listen to your customers – and embrace 2-way communication
Develop a clear, compelling message
Build privacy messaging and support into the brand experience
Educate, educate, educate
Tell them how you are protecting them

Remember
Privacy creates an opportunity for a trusted relationship with consumers which enables companies to differentiate their brands

V. Putting it all together
John Berard, Credible Context

Bringing it all together

Thank You.

The Panel
Rosetta JonesHead of Issues ManagementVisa Inc.704.444.3815rjones@visa.com
John BerardPrincipleCredible Context415.845.4388john@crediblecontext.com
Joe CarberryPresidentWestern U.S. Region415.293.2805joe.carberry@mslworldwide.com
Dave SteerDirector of MarketingCommon Sense Media415.845.5110dsteer@commonsensemedia.orgwww.steermarketing.netwww.twitter.com/steerdave

IAPP - Trust is Terrible Thing to Waste

by Dave Steer

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 5

Statistics

IAPP - Trust is Terrible Thing to Waste Presentation Transcript