The pre-conference workshop entitled 'Trust is a Terrible Thing to Waste' from the 2010 International Association of Privacy Professionals conference in Washington, D.C. The session reviewed why trust is important, how to handle crisis communications, and how to build trust before a crisis hits.

1. Trust is a Terrible Thing to Waste How to Use Communications to Protect Reputation And Advance Privacy Objectives

4. A formula for success Security + Privacy + Performance = Trust

5. What the data say

6. We spend a lot on security

7. Businesses are substantially increasing their expenditure on security software, despite the economic slowdown. Gartner (2008)

8. Finding #3. Yet far fewer executives are actually “cutting security back”. And among the half or less that are taking action, most are taking the least dramatic response. Global State of Information Security Survey (PwC, CIO & CSO Magazines 2010)

9. We talk a lot about the money we spend.

10. Google “IT security spending” and you get 47 million results. Bing it and you get 36 million results

11. We spend a lot on product performance.

12. Federal research & development totaled $150 billion in 2007.

13. $225 billion in annual corporate research & development spending in the U.S. Business Roundtable 2010 CEO Survey

14. About 200,000 new products introduced globally each year.

15. We talk a lot about the money we spend.

16. Bing “new product research and development” and you get 2.2 million results Google it and you get 73 million results

17. We spend a lot on privacy.

18. Significant investment in privacy Technology Compliance monitoring Data collection & handling procedures Training

19. We DON’T talk a lot about the money we spend.

20. We allow our story to be told by failures.

21. Since 2005, the Privacy Rights Clearinghouse says that 350 million individual records have been breached.

22. In the last year, according to the Identity Theft Resource Center, 6.3 million records were affected in 218 breaches.

23. The business effect of misuse It costs $6.6 million on average when an organization suffers a data breach, and more than $200 per compromised record, according to a survey conducted by the Ponemon Institute.

24. Just as with security and performance, we can get a return on our privacy investment.

25. The nature of online privacy Control, not anonymity

27. Consumer’s view We care greatly about privacy We don’t do much about it Pew, too

28. This is the opening for communications More than managing risk More than damage control Adding an accelerant to the formula for success Security + Privacy + Performance = Trust

29. Public value of the investment Communications is the key to unlocking a market return on the investment already made.

30. The first question to ask is: Who are you?

31. II. When Trust is Broken Joe Carberry, The MS&L Group

32. What we’re talking about How should I respond if/when data is misused or stolen? Current Public Environment Managing Through Crisis Case Study Exercise

33. The Environment

34. What we’re up against…

36. Hundreds of publicly reported breaches; many more not disclosed

37. The number of breaches continues to increase year-over-year

38. Only 36% of C-suite confident they won’t suffer breach *

39. Cost of breach now $6.6 million *As more and more business is conducted and recorded via electronic means, risks related to data and privacy will increase. *Ponemon Institute

40. The Point? Data misuse/theft not question of “if” but “when” Crises often happen in full view, in real time – with significant impact More at risk in a data breach than just data

41. Bottom Line “A promise must never be broken.” - Alexander Hamilton

42. Managing a Breach of Trust

43. What Makes a Crisis? Can be triggered by various kinds of events: Operational failures Malfeasance Human error Natural disasters Business set-backs Competitor or third-party attacks An issue becomes a “crisis” when the organization’s business prospects are threatened in the eyes of its stakeholders You do not define “crisis” – someone else does Crisis rule #1: somebody always find out. Always.

44. A Crisis Subtracts Value Crises undermine stakeholder confidence in an organization: Short- and long-term growth potential Sustainable return on capital Quality (focus) of management Ability to manage risk to the business Source: Adapted from McKinsey

45. Managing Risk Legal Risk Patchwork quilt of state and federal regulations Litigation exposure Protection: Sound legal counsel Operational Risk Validate and comply with industry standards (i.e., PCI DSS) Work with appropriate vendors, technology Protection: Ongoing diligence, best practices Reputational Risk Reputation impacts business (customers, employees, suppliers, investors, etc.) Reputational risk often overlooked Protection: Preparation, established crisis protocols *Ponemon Institute ** Harris Interactive Poll

46. Who Cares? 43 Customers SalesChannel Investors Organization Supply Chain Policymakers Local Community Employees On which stakeholders do you rely for success? What do they think?

47. What Can You Do? Be Prepared Success proportionate preparation Activate crisis response at first sign of exposure Move Quickly Early and honest communication Someone else shaping news robs you of control Take Action Work to resolve underlying issue People perceive data as “theirs”, not the company’s -- demonstrate stewardship Individual should remain the “north star” Be Responsible Facing fear and suspicion – respond with transparency and responsibility Consumers will forgive mistakes, but failure to act responsibly.

48. Keep in Mind Taking Responsibility is not the same as Taking the Blame

49. The Message What stakeholders generally want to hear: You’ve stopped the bleeding Make sure the problem is no longer occurring. You’re making amendsTake steps to address the impact among affected parties (not the same as admitting guilt). It’ll never happen againTake steps to ensure similar issues don’t happen in the future.

50. Crisis Protocol

52. Early Warning System

53. Crisis/Situation Protocol

54. Monitoring (especially digital)Objective: Prepare for Action

56. Assemble a Crisis Response Team

57. Put in place tracking toolsObjective: Assessment & Strategy

59. Identify impacted stakeholders and expectations

60. Disseminate info to stakeholders quickly, frequently

61. Correct inaccuracies quickly

62. Manage digital impact – address contagionObjective: Take Control

64. Plan for additional challenges

65. New information

66. Critics

67. Catalog business remediation steps

68. CountermeasuresObjective: Focus on Solutions

70. Explore business changes related to situation

71. Examine tactics to rebuild reputation

72. Conduct debrief; identify areas for improvementObjective: Rebuild

73. Case Study Exercise

74. The Environment Trust of large corporations is low Security is pervasive issue in news media Lots of online chatter about data breaches Half of consumers cite privacy/security as a top concern Legislators eager to protect consumers

75. The Situation XYZ.Com is a major online retailer The company has experienced a data breach Tens of millions of accounts; three years Payment information stored in violation of PCI standards Customers’ names, card numbers and expiry dates involved Forensic investigation underway; external auditors US Secret Service investigating Card companies are aware; spotting fraud patterns

76. Financial Institutions Suppliers Customers XYZ Online Community Policymakers Stakeholders Employees Shareholders Law Enforcement

77. Your Challenge Competing stakeholder needs US Secret Service requesting delay in public disclosure Financial institutions want all available information, ASAP Federal legislators have called for immediate disclosure of all breaches Polling data show consumers want disclosure, but less likely to do business with breached organization 30 state statutes require immediate disclosure to impacted consumers High risk associated with disclosure Potential for brand damage with disclosure Litigation risk of disclosing Broad consumer disclosure drives customer services costs – at XYZ and associated parties (banks)

78. The Wall Street Journal calls; they have the story... What do you do?

80. Your Response Who is involved? Who is most impacted? Who should be at the table internally? What do you do first? Do you disclose publicly? When and how? What should you say? What business changes do you recommend to management? What can you do to restore trust?

81. Remember… Misuse/theft of data creates risk Breach reduces trust Lower trust impacts brand/reputation Tarnished brand/reputation harms business Crisis response should be well planned, aligned This is not about “spin”

82. Rahm Emanuel… “You don’t ever want a crisis to go to waste.”

83. QUESTIONS?

84. BREAK

85. III. Making Your Case Rosetta Jones, Visa Inc.

87. What is Visa? What We Are What We Are Not Global payments technology company Transaction-processing network that connects cardholders, merchants and financial institutions Credit card issuer Lender Exposed to consumer credit risk Payments technology company that helps power the global economy.

88. Statistical Overview Visa Inc. is the world’s largest retail electronic payments network, with more than $4.4 trillion transacted on our payment products over the four quarters ended Dec. 31, 2009. Total Volume* * Visa Cards 1.8B 16,100 1.6M ATMs*** Financial Institution Customers Visa Inc. Operates the world’s largest retail electronic payments network* $2.8T $4.4T Payments Volume Total Transactions**** Statistical data in U.S. dollars; ATMs, financial institutions and cards based on four quarters ended Sept. 30, 2009. Excludes Visa Europe, unless otherwise noted *Based on payments volume, total volume, number of transactions and number of cards in circulation. Figures are rounded. ** Includes payments and cash transactions. *** As reported by client financial institutions and therefore may be subject to change; includes merchant outlets and ATMs in the Visa Europe territory. **** Includes payments and cash transactions. 62B Visa Confidential

89. Payment Security = Data Privacy Cash Perceived Safest at POS Privacy/no personal information cited as leading reason Even those very comfortable with emerging technology only give mobile phones a score of 4.2. I’m going to read you some ways you can pay for things at a store and please tell me how safe you think each form of payment is on a scale from 1 to 10 where 1 is not at all safe and 10 is very safe… 69

90. Integrating Security…. Print advertising

91. Integrating Security…. Brand advertising

92. Integrating Security…. Client Marketing

93. Integrating Security…. Corporate Social Responsibility

94. Debit Breach Response Visa debit is fastest growing product An integrated response program that included advertising, PR, pre and post campaign tracking, and data analysis “Security breaks could curtail debit card use….” March 13, 2006

95. Security is Visa Asset By a large margin more cardholders view Visa as a part of the solution on the issue of fraud than believe it is part of the problem. Visa Job Approval Total Approve Total Disapprove Strongly Approve Net Approve Thinking specifically about Visa, from the same list of issues please tell me whether you approve or disapprove of the job Visa is doing to handle that issue… Highlighted Data Slides 75

96. Top 109 List 1 Listen. Ask questions of key internal influencers about fears, opportunities, internal product development. Get smart. Know who’s saying what about you outside the company and the vulnerabilities inside the company. Start with the bottom-line; demonstrate growth opportunity or barrier to growth that can/should be addressed. Use reason, not passion. Only the emotion will be heard. Be the voice of the customer. Make it objective -- DATA, DATA, DATA. Bring the company along. Use the experience of the dead bodies that have forged the privacy path before you. All else fails, fear works 2 3 4 5 6 7 8 9

97. IV. BUILDING TRUST Dave Steer, Common Sense Media

98. What we’re talking about How do I market trust and privacy? Why privacy is important to marketers What you can do to make trust and privacy a differentiator

99. Why is trust so important?

100. First, a question… WHAT ARE THEY DOING TO BE MOST TRUSTED IN PRIVACY? Source: TRUSTe/Ponemon 2009

101. Sometimes there is tension between marketing and privacy people “I just want to be able to better target our message to the right consumer” “This will make for a better customer experience since they’ll only see what’s important to them” “Telling them about our policies is a distraction. It should be about our product benefits.”

102. But trust is vital for marketers. Trust = Brand Advantage Privacy creates an opportunity for a trusted relationship with consumers which enables companies to differentiate their brands

103. “The Great Trust Offensive” “…trust is the number one driver of any brand at the most fundamental level. We buy what we trust and keep buying; familiarity and trust are big, big drivers of loyalty and brand value.” Andy Bates, CEO, Interbrand

104. But with privacy, it’s complicated

105. Which is why most companies play defense “I can’t help noticing that more and more technology companies are exposing people’s information publicly and then backpedaling a few weeks out.” danahboyd, Harvard Berkman Center

106. Building trust

107. Brands focus on building credibility The Credibility Lifecycle Source: Stanford, B.J. Fogg, 2002

108. A ‘trust lens’ of messaging & programs Reassurance: Show the protections that are in place, the company, what others say, etc. Education: Enable people to protect themselves, show what you are doing Support: ‘Being there’ when something goes wrong. Source: Stanford, B.J. Fogg, 2002

109. So, how can you build trust?

110. 1. LISTEN TO your customers and embrace two-way communication The proposed Facebook privacy policy received thousands of comments

111. 2. Have a clear, compelling message Start by answering these questions… Who is the target audience? What is your single key message? What is the benefit of your privacy program? Why should they care? What are the barriers to them understanding your message The toughest part is balancing simplicity with transparency

112. 3. BUILD privacy messaging into the EXPERIENCE A typical customer experience What privacy questions will they ask? When will they ask? How can you reassure, support, and educate?

113. 4. Educate, educate, educate About safe, responsible BEHAVIOR About safe uses of your PRODUCT

114. 4. Safe, responsible behaviors…

115. 4. PRODUCT safety

116. 5. Tell people what you’re doing to protect them

117. Summing it up Listen to your customers – and embrace 2-way communication Develop a clear, compelling message Build privacy messaging and support into the brand experience Educate, educate, educate Tell them how you are protecting them

118. Remember Trust = Brand Advantage Privacy creates an opportunity for a trusted relationship with consumers which enables companies to differentiate their brands

119. V. Putting it all together John Berard, Credible Context

120. Bringing it all together Security + Privacy + Performance = Trust Trust = Brand Advantage

121. Thank You.