10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.

edu

 Download Bulk Download Library  Share

 Search for papers, people, and 
interests 

[8] data stolen

Annis Paramita Di…

https://www.academia.edu/19991879/_8_data_stolen?auto=download 1/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu

 Download Bulk Download  Library  Share

https://www.academia.edu/19991879/_8_data_stolen?auto=download 2/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu

 Download Bulk Download  Library  Share

https://www.academia.edu/19991879/_8_data_stolen?auto=download 3/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu

 Download Bulk Download  Library  Share

https://www.academia.edu/19991879/_8_data_stolen?auto=download 4/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu

 Download Bulk Download  Library  Share

https://www.academia.edu/19991879/_8_data_stolen?auto=download 5/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu

 Download Bulk Download  Library  Share

 
           
        

• •

Boss, I Think Someone Stole Our Customer Data • HBR

Whether you win or lose, it costs you—and utation for fairness—one painstaki
there’s bound to be a lot of media coverage.” over decades by Brett’s father.
“Aren’t we required to disclose this to our “Well, the decision may soon be
customers immediately?” Frank inquired. hands,” said Sally. “I was reviewing
“Three of the states in which you operate re- accounts, and one very interes
quire immediate disclosure, and the other cropped up: Dave Stevens, evenin
three do not,” Darrell noted. “But from what I chor at KCDK-TV. Apparently, we
understand, you don’t know what role, if any, home theater for him.” She turne

Flayton’s
identified has in this possible
a pattern. crime.
There seems toAbebank has
a corre- “Stories like thishis
Brett shifted always
jaw, leak someh
pushed bac
lation between cards with fraudulent activity and stood. “So if I understand thi
and cards used to make purchases at Flayton’s we have circumstantial but stron
https://www.academia.edu/19991879/_8_data_stolen?auto=download 6/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu
and cards used to make purchases at Flayton s. we have circumstantial but stron
That could be a coincidence. At this time, we that a breach has occurred, we
 Download Bulk Download Library
have noactual ofShare
evidence a data breach at former employees who might or m
Flayton’s. None.” involved, some states that require w
“What are we supposed to do?” Brett pressed. feds who want us to shut up, and
“Doing nothing is not an option. Not for me.” personality among the victims. If w
“That is exactly what you  should  do,” Dar- we’ll probably get sued; if we don
rell asserted. He turned to Sally. “Your com- will eventually leak. The feds may
munication strategy should be not to talk to petrators if we give them time, bu

anyone. If youthat
simply confirm do Flayton’s
get a callhas
from the
been media,
contacted guarantee.
on the line,Noand
matter what, ourwil
competitors re
 by law enforcement authorities regarding an ning promotional specials to lure
investigation about which you have been away first chance they get. And I a
given no information and with which you are ing if I can ever look a customer
cooperating fully. Refer them to the Secret the eye again. Did I miss anything?
Service. They don’t tell anybody anything.” Brett leaned forward and put b
“That may work for now,” Brett acknowl- firmly on the table. His eyes met th
edged, “but, Sally, I want you to anticipate the member of his team. He knew—an
next steps. However we communicate eventu- them all. “The one thing I’m sure of
ally, I want to offer straight talk, not spin.” Flayton name means something to
Darrell sat down. employees, and to our customers. W

Brettsearch
online knew last
there were
night noturned
had easy answers. His
up a recent to decide what to do. Today.”
survey documenting that customers are reluc-
tant to shop in stores known to have data How should the Flayton Electron
 breaches. Darrell was arguing that Flayton’s respond to the crisis? • Four comm
could be vulnerable simply by trying to do the offer expert advice.
right thing and getting the news out quickly. See Case Commentary
Yet, the company’s future depended on its rep-

harvard business review • september 2007

 
 
              

Boss, I Think Someone Stole Our Customer Data • HBR

Case Commentary
by James E. Lee

How should the Flayton Electronics team respond to the

How you react to news of a security breach at inquiries from many quarters, in ou
 your company is, as a practical matter, much multiple state attorneys general,
more important than what actually hap- Trade Commission, and the U.S. Co
pened. Whether your business can survive the might be sued by banks; by others
is d ill d d th rr ti ti th r dit rd tr s ti h i s
https://www.academia.edu/19991879/_8_data_stolen?auto=download 7/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu
episode will depend on the corrective action the credit card transaction chain, s
 you take and how you communicate about it cessing companies and consumers
 Download Bulk Download  Library
to the various  Share
stakeholders. My firm’s experi- holders; and even by employees an
ence offers an excellent illustration. For Flayton Electronics, moving
ChoicePoint provides decision-making in- the face of crisis will be essential.
sight to businesses and government through crucial factor in the inevitable law
the identification, retrieval, storage, analysis, focus on what executives knew an
and delivery of data about individuals and they knew it before going public.
institutions. In 2005 our company was the vic- ing the firm’s weaknesses in data se
tim of a fraud scheme in which criminals Brett Flayton must develop a brand
posed as customers to obtain the personal in- strategy. The company should, as C
formation of 145,000 people from our data sys- did, notify the affected customers
tems. No technology breach occurred, but the up toll-free information hotlines,
media characterized the incident as if one had. credit-monitoring services. Then th
We discovered the nefarious activities our- ceed these basics with a broad ran
Beyond fixing the firm’s selves and reported them to the Los Angeles to keep customers loyal: Offer dis
County Sheriff’s Department, with whom we sales, meet with critics of the compa
weaknesses in data
set up a sting operation that eventually led to  velop and promote new web pag
security, the CEO must the prosecution of a Nigerian crime ring. line reforms in the firm’s policies an
We agonized over choosing the right strat- Communiqués will also need t
develop a brand- egy for alerting consumers whose data may demonstrate responsiveness to dev
restoration strategy. have been obtained fraudulently from or else risk that the words of comp
ChoicePoint. In the end, we notified everyone tives will be perceived as just co
 believed to be at risk, regardless of their state service. Tone is very important. P
of residence. We updated employees daily, ments must be not only accurate,
and we had frequent conference calls with contrite, and honest.
managers and officers. Our CEO and other Flayton’s will also have to addre
senior executives visited key customers and ence of blogs, viral videos, and o
investors to share the many new policies and media. Such user-generated con
procedures we were adopting to prevent a tered by traditional journalists and
recurrence. All of these stakeholders were, we  by anyone using an online search
recognized, pivotal to our survival. often a mode of recruiting lawsu
Some of our preventive steps were radical, and airing personal grievances.
including abandoning a line of business worth Finally, Brett and his team wi
$20 million because of its potential to risk a fu- tience in spades. The problem w
ture data breach. Changes in culture often away when the headlines do. Mit
were required. For example, every employee effects on brand and reputation
must now pass yearly privacy and security estimate, three to five years. Flay
training courses as a condition of employment. long road ahead.
At ChoicePoint, we learned quickly that in
situations like these, many factors are beyond James E. Lee ( [email protected]
 your control. The media can be a huge distrac- nior vice president and chief public and c
tion. But it’s much worse than that. You face fairs officer at ChoicePoint, based in Alphar

page 6 harvard business review • sept

 
               

Boss, I Think Someone Stole Our Customer Data • HBR

Case Commentary
by Bill Boni
https://www.academia.edu/19991879/_8_data_stolen?auto=download 8/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu
by Bill Boni
 Download Bulk Download Library Share
How should theFlayton Electronics team respond to the
Most senior executives have the insight and tomers, who had invested heavily
the measurement tools to assess potential the best protection technology ava
damage from tangible disasters such as floods we could access their core busin
and fires. That’s not often the case when it using just a smartphone and the In
comes to information security, including pre- To prevent and cope with dat
 vention of and planning for data theft.“Let the  you need peopl e on hand with
technical staff handle that” tends to be the de- expertise to match wits with
fault strategy, with responsibility relegated to cyber criminals and to understa
nonsenior IT or corporate-security manage- tems they’re targeting. Data prot
ment. Businesses that are serious about pro- necessarily a core competency of e
tecting their data and preserving the data’s or a traditional loss-prevention tea
 value should have a high-level official, such as dispensable are knowledge of the
a director or a vice president of information privacy statutes and regulation
protection, who serves not merely as a man- ability to gather and preserve sou

ager but as
Seven a senior
years ago,champion in this area.
I was appointed Motor- evant
team evidence. Youaccountants,
of lawyers, can assemblea
ola’s first-ever corporate information security enced digital-forensic investigator
officer. As a data-protection leader, I am re- enforcement or defense agenci
sponsible for the firm’s information and IT external sources such as law fir
You need people on hand environment globally and for having a com- accounting firms, and consulta
prehensive strategy for risk management. digital specialization.
with the digital expertise
One useful strategy component is to require Armed with facts from experts, y
to match wits with tech- every new initiative to identify, in the initial sembled, Flayton’s should put la
idea phase, the data that might be involved— ment on notice that the compan
savvy cyber criminals. and their value. This mandate builds appro- serve customers and maintain its
priate safeguards right into the projects Flayton’s can’t afford to wait ind

themselves. Also beneficial

dures, and training are
protocols policies,
that proce-
are custom- inform thethe
work with public.
SecretThe firm should
Service to ach
ized for each company function, to reduce cutions but must also make it a
the likelihood that individuals will make maintain the public’s trust while
wrong choices because they do not under- fully with data-protection and priv
stand how the overall data standards apply to states that require breach disclosur
their specific roles. Until Flayton’s thoroughly und
Being fully PCI compliant is, of course, a security status, it risks making po
 vital first line of defense against data theft, and None of the managers or advisers
my best guess is that a third of companies have enough experience or info
meet that standard. However, increasingly reach sound decisions about the ri
capable cyber adversaries do not give up confronting. For example, allowin

and offer you

did what theirwere
congratulations
supposed tobecause you
do. During wall
moreto customer
remain down may compr
accounts. An
my tenure in information security, hobbyist model response plan, such as tha
hacking has evolved to become a much more American Institute of Certified
sophisticated, parasitic extraction of valuable countants, is one potential source
data from targeted organizations. One com- ate help for this company in crisis.
mon fallacy is that silver bullet technology can
save the day. I’ve seen organizations spend Bill Boni ([email protected]) is the
hundreds of millions of dollars on security formation security officer for Motorola in S
safeguards that were penetrated by a knowl- Illinois. He is also a vice president and boa
edgeable person with a handheld device. For the Information Systems Audit and Contro
example, Motorola proved to one of its cus- a global organization based in Rolling Mea

harvard business review • september 2007

 
               

Boss I Think Someone Stole Our Customer Data • HBR

https://www.academia.edu/19991879/_8_data_stolen?auto=download 9/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu
Boss, I Think Someone Stole Our Customer Data • HBR

 Download CaseCommentary
Bulk Download Library  Share
by John Philip Coghlan

How should the Flayton Electronics team respond to the

A data breach can put an executive in an ex- in a study by Javelin Strategy & Re
ceedingly complex situation, where he must of consumers said they’d be unlik
negotiate the often divergent interests of mul- tinue shopping at a store once
tiple stakeholders. Witness the array of players learned of a data breach there.
 you would encounter in a case like that of  So our harried CEO has no be
Flayton Electronics. than disclosure. If he doesn’t spea
Banks that issue payment cards, such as not allowing his customers the be
the fictional Union Century, are often the first protecting themselves: by using a d
to spot possible fraud when their systems compromised payment card or by
identify merchants who are common points transactions on the compromised
of purchase for potentially compromised ac- if he waits to learn more, Brett wil
counts. For the protection of their cardhold- have to go public, still lacking com
ers, they strongly support early identification mation. In the meantime, he run
of these merchants. escalating risk that another party w
A bank that performs payment processing the breach, at which point he w
for a given merchant, called the acquiring defend having violated his custo
 bank, is protective of that business relation- The electronics firm has built its re
ship and sensitive to the merchant’s inter- honesty, a fact that Brett and h
ests. However, that bank is responsible to should not let each other forget.
 Making data security a payment networks such as Visa and Master- So Flayton Electronics must com
Card for certifying merchant compliance right now—with its customers. A
riority for the future—
with payment card industry standards. potential avenues are to use conta
and communicating the Therefore, the acquiring bank’s brand and tion from the store’s own datab
reputation also are potentially threatened, up a special company web page; a
specific policy changes and its interests are only partly aligned with exclusive informational events, su
that flow from that— those of the merchant. ins and webcasts—all reinforc
Further complicating the situation is the customer support hotline.
may allow the company role of law enforcement. The Secret Service Of course, Brett should make su
to become recognized as has asked Flayton Electronics not to disclose gei addresses the known technolo
the breach, believing that leaving the system ness immediately. Customers wi
a leader in this area.  vulnerability in place during surveillance pro- know when the system is safe aga
 vides the best chance to catch the thieves data security a priority for the f
should they act again. Unfortunately, such re- communicating the specific poli
quests can be open-ended, and with each that flow from that—may allow th
passing day the opportunity for the company to become recognized as a leader i
to lead in communications is frittered away. Research from Bain & Company
It is not illegal to refuse such appeals from some hope: Customers who receiv
law enforcement. On the contrary, many state compensation after making a com
laws require a breached entity to disclose actually more loyal than are tho
specific information in a timely way. complaints. So, if Brett Flayton’
Beyond the institutional stakeholders just provides a timely, focused, and e
described, there are consumer groups, legisla- sponse, his compromised custom
tors, shareholders, and of course the employ-  just become the most loyal of all.
ees and customers, whose interests we see
Brett Flayton actively considering. Regarding John Philip Coghlan is a former presiden
customers, the CEO might wish to know that Visa USA, headquartered in San Francisco

page 8 harvard business review • sept

https://www.academia.edu/19991879/_8_data_stolen?auto=download 10/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu

 Download Bulk Download  Library  Share

 
                 

Boss, I Think Someone Stole Our Customer Data • HBR

Case Commentary
by Jay Foley

How should the Flayton Electronics team respond to the

The executives at Flayton Electronics are Sergei, the CIO, really fell down
 being misinformed by Darrell Huntington, There’s no excuse for his sloppiness
their outside counsel. The companies that get Sadly, though, Sergei’s technolo
sued are not those that are first to go public are not unique. In 2006 the Compu
about a data breach but those that do so Institute in San Francisco conduct
poorly. Right now, Flayton’s has no chance of  of 616 large, U.S.-based companies
putting out good information, because it that 52% had experienced some k
doesn’t have any. Announcing inaccurate in- authorized use of their compute
formation and then having to correct it as the Almost half of that subset said th
 breach investigation evolves would encourage a laptop or mobile device theft.
a feeding frenzy of plaintiffs’ lawyers. For now, Unfortunately, the true scope o
Flayton’s should remain quiet, but for reasons theft problem is not known. Hard
different from Darrell’s. its long-term impact, whether for
Another misconception of the management or individuals, are scarce. From the
team at Flayton’s is that they should consider Security Institute, we have the
notifying customers themselves. The credit only 15% of their surveyed compan
card transactions belong to a bank that has financial losses as a result of cyb
protections in place for its cardholders.  breaches. We also know that mos
For Flayton’s to mire itself in identifying data theft do not then become
Not alerting customers private addresses for—and then contacting— identity theft. Typically, a crimina
potentially affected individuals would be to rack up a few quick purchases u
right away is not the
expose itself to liability. Someone else in the credit cards and then move on.
same as doing nothing. transaction chain, such as the credit card pro- likely that customers at Flayton’s w
cessing company, might very well be at fault, of this type of fraud. Thieves mi
in which case it would be wise to wait for that ably assume that people who hav
party to come forward first. In fact, it is possi-  buy fancy electronics have enou
 ble that the Secret Service investigation will able income not to notice extra
show that the electronics retailer was not the their accounts immediately.
source of the breach at all. Perhaps the most worrying i
Law enforcement officials have asked Flay- that the criminal industry for inf
ton’s to remain tight-lipped while they do their growing. I can go to MacArthur P
work, to give them a better chance of appre- Angeles any day of the week and
hending the criminals. If Flayton’s rushes into exchange for a name, social securi
a public announcement, the bad guys have the and date of birth. If I bring a lon
chance to disappear, only to resurface else- names and details, I walk away
where. Nothing positive will have been man. This gritty new reality illus
achieved with that result. much the value of personal data i
Instead, CEO Brett Flayton should calmly and should encourage every comp
think through his crisis response. Not alerting data protection very seriously.
customers is not the same as doing nothing.
The company’s first action should be to reduce  Jay Foley ( jfoley@idt heftcenter.o rg) is
the risk for future thefts by closing any data- tive director of the Identity Theft Resou
transaction loopholes that this incident has San Diego.
 brought to light, provided that the Secret Ser-
 vice does not think it will interfere with their Reprint R0709A
investigation. The executives at Flayton’s Case only R0709X
should also reevaluate their internal policies Commentary only R0709Z
and procedures and should establish regular To order call 800-988-0886
https://www.academia.edu/19991879/_8_data_stolen?auto=download 11/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu
and procedures, and should establish regular To order, call 800-988-0886
self-audits and strategic-planning assessments. or 617-783-7500 or go to www.hbrr
 Download Bulk Download  Library  Share

harvard business review • september 2007

https://www.academia.edu/19991879/_8_data_stolen?auto=download 12/13
10/28/2019 (16) (PDF) [8] data stolen | Annis Paramita Dilla - Academia.edu

 Download Bulk Download  Library  Share

About Press Blog People Papers Job Board Advertise  We're Hiring!  Help Center

Terms Privacy Copyright Academia ©2019

https://www.academia.edu/19991879/_8_data_stolen?auto=download 13/13