We’ve had a data breach. Let’s not tell anyone. 

It’s a basic question in the face of a data breach. Do we fix it and keep quiet? Or do we tell the world and risk the consequences. A major fuel company was recently confronted by this challenge, and their response and how they communicated it provides a worrying lesson for issue and crisis managers everywhere.

In November 2017 an unnamed person alerted New Zealand petrol company Z Energy that a “critical flaw” in its online fuel card system potentially exposed customer records, including names, vehicle registration details, where and when they bought petrol and, in some circumstances, even their home address.

Data breach reporting is not yet mandatory in NZ and the company decided to attempt a discreet system patch. However the anonymous customer later contacted them again, saying the so-called fix was “half baked” and data was still vulnerable. The company then took the system down, telling their 45,000 cardholders it was dealing with a “technical issue.” They subsequently told customers the site was down because “our technology experts have been building a new online portal.”

Then in June 2018, seven months after the initial report, and four months after the system was reinstated, it all began to unravel. The dissatisfied customer shared the story with local online news service Stuff Circuit, and the company response was disingenuous and unhelpful. “Yes, our Z Card Online system was taken down for a period whilst we made some improvements and changes. But it is now back up and running and we really don’t have any more to add on this.”

The reporters kept digging, and last month Z Energy CEO Mike Bennetts sat down for a videotaped interview. While confirming vulnerability had been identified in November 2017, he insisted their experts found no evidence at the time that data had been compromised. Therefore, he argued, it was a vulnerability issue not a breach and there was no need to tell customers. However, when presented on camera with a screenshot showing data from his own company’s vehicle fleet account he conceded: “It certainly is a security breach.”

The whole case seemed to be captured in reporter Paul Penfold’s final question. “Doesn’t it seem extraordinary that you had a whole ‘war room’ and were consulting with all these experts, yet one member of the public was able to simply change an account number and a URL and get all this information?”

Bennetts replied: “Yes, certainly very, very disappointing and I apologise to our customers. As I said, sometimes these things happen . . . This is something that was missed on the way through and we are very sorry about that.” Hardly a convincing apology or explanation.

On the basis of the ‘new information’ presented, Z Energy – which provides about one third of New Zealand’s petrol – only then disclosed the breach to the market and the Privacy Commissioner. Yet a company spokesperson admitted to Stuff Circuit that the very same evidence had been emailed to the company by the original informant seven months earlier, when the CEO was out of the country. Involvement by the media “now meant we chose to deal with this differently.” The spokesperson added that the company did not want to keep quiet about the incident, but did so on advice. “We repeatedly challenged this counsel as it did not sit well with our values, but ultimately chose to follow the advice of our experts given our commitment to cyber security.”

The most charitable interpretation which can be put on this sorry story is that the company tried to conceal an apparent data breach; failed to advise the regulator in a timely fashion; created a misleading narrative for customers; seemingly didn’t keep the CEO fully informed; and finally came clean only when there was no other option. Compare this with the value proudly stated in the company’s latest Annual Report: “We’re committed to being straight up with journalists and the media. That means providing meaningful information, giving straight answers, and setting new standards of transparency in our industry.”  Great promise. Poor delivery.

Footnote: At the time of writing a Bill introducing mandatory data breach reporting is currently before the NZ Parliament.

Posted in Crisis management, Crisis Prevention, Reputation risk | Tagged , , , | Leave a comment

Make like a Boy Scout, Optus. Be Prepared

The Optus World Cup online streaming debacle was undoubtedly an epic technical and reputational fail. But it is also a critical lesson in the need for well-prepared crisis communication.

When thousands of paying customers were shut out of the biggest sporting event on the planet, the telco got caught up in mixed messages, and never adequately explained how it happened.

Optus purchased exclusive rights to stream most World Cup matches and share the balance with free-to-air public broadcaster SBS. It was a bold plan to attract new paying customers to the Optus brand, yet it all went wrong from day one, with many viewers blocked by buffering and error messages

While the public outcry was inevitable and predictable, the technical failure was compounded by clumsy crisis communication. The company blamed “an extremely high number of viewers logging into our platforms just before kick-off, causing some systems to overload.” Which raises the obvious question, why would it be a surprise that viewers would log in just before kick-off?

Then Optus seemingly allowed their PR Manager to make the rather baffling comment that the company did not skimp on its back-end infrastructure, and add: “I can absolutely guarantee that we did not under-cater in any shape or form.” However CEO Allen Lew clearly said it was a load issue and promised: “We should have done better, we can do better and we will do better. We will solve this problem by the end of this evening.”

Unfortunately it was a well-intentioned but ill-judged pledge, because the problem continued next day. In fact Mr Lew’s premature assurance was reminiscent of when Andy Penn, CEO of rival telco Telstra, followed up a nationwide outage in 2016 by boasting that a review of their network showed its “incredible strength and resilience” . . . just one day before his system crashed again.

Meanwhile, an Optus spokeswoman tried to spread the blame: “Some customers who watched the match on the Optus Sports app, on certain devices through other telco networks, experienced buffering issues.” However, every crisis manager knows that in the midst of a public relations disaster it is never advisable to blame someone else – even when it’s not entirely your fault. And an unnamed staffer from the company’s broadcast studio was later reported saying “sensationalist” media outlets had made the streaming issues “seem like the end of the world.”

After intervention by the Prime Minister, Optus agreed to share some matches, and later all remaining matches, with the primary rights holder and offered refunds to customers.

Commenting on the system failure, Mumbrella’s Tim Burrows observed that “Streaming is not a mature technology and it’s not easy to get right.” While that charitable conclusion might be true, we are not concerned here with the technical aspects, but with the muddled communication. Bear in mind that this latest debacle came less than a year after Foxtel Australia’s network crashed for the premier of the new season of Game of Thrones and they blamed it on “unprecedented demand.” Managing Outcomes wrote at the time that “Unprecedented is a poor excuse for unprepared” and Optus seems to have learned little from what went before.

Crisis management is not just about how to respond when a crisis has already struck. It should also be about worst-case scenario planning, preparing in advance in case things go wrong, and having a good communication plan in place. There just may be an excuse for technical failure in a highly complex streaming environment. But there is no adequate excuse for not having effective crisis communication prepared and ready to go.

Footnote: Two weeks after the event, Optus took out newspaper apology ads admitting it was a “monumental stuff up.” Only time will tell whether that belated effort delivers any real upside.

Posted in Crisis management, Reputation risk | Tagged , , , , | Leave a comment

Hey banks. No reputation campaigns . . . Please

Financial Institutions across Australia are enduring their worst reputational crisis for a generation, and there is every likelihood it will get a lot worse before it starts to improve. But now is absolutely not the time to launch some hopeful “reputation building initiative.”

Recent evidence at the Banking Royal Commission commenced to shred the reputation of banks, wealth management funds and other financial institutions. Then, within the space of a few days, the Commonwealth Bank agreed to a $700 million fine for money laundering – the largest fine in Australian corporate history – and criminal charges were laid against three major banks and six of their highest executives over alleged cartel behaviour to artificially inflate the price of ANZ shares.

There is nothing like the threat of prison to focus the mind, and right now the unprecedented collapse of reputation in the finance sector is doubtless triggering some long-overdue soul-searching in boardrooms across the country.

And it’s not just a crisis confined to Australia. Two of the banks facing criminal charges over the ANZ cartel scandal are major global players – Citigroup and Deutsche Bank – while a third global organisation,  J.P. Morgan, reportedly avoided prosecution by blowing the whistle on the  deal.

At the same time, the reputational crisis engulfing Australia’s banks has had another immediate international impact. Westpac lost top spot as the “world’s most sustainable bank” (as measured by the Dow Jones Sustainability Index) and the other “big four” also dropping down the rankings.

It’s doom on all sides – and the Banking Royal Commission has many months of expected damaging evidence still to come. In the face of this onslaught it’s a sure bet that some worried executives are asking: “What can we do to restore our reputation?” But in the midst of a continually unfolding crisis it’s the wrong question. It should be: “What can we do to change our ways and perform better?”

The fundamental problem is not reputation as such. It’s years, maybe decades, of bad behaviour which is now coming to light and having a very predictable effect. The public are looking for tangible evidence of improvement, not platitudes and promises. And a feel-good reputation campaign just won’t cut it. Look no further than the recent Bankers Association advertising campaign on the theme “Australian banks belong to you” with the message “Profits don’t belong to the banks, they belong to everyday Australians like you.”

That all sounds rather hollow when financial institutions are admitting in evidence before the Royal Commission to long-standing policies and grave mistakes which sometimes drove those same “everyday Australians” needlessly into bankruptcy and ruin.

Crisis managers everywhere ought to know the difference between branding and reputation. Branding is what you say about yourself. Reputation is what other people say about you. Reputation derives from how you behave and how it’s perceived, not from clever image-building and not from promises about what you plan to do. In other words, honestly address the bad stuff first and reputation repair should follow. As the saying goes: You can’t communicate your way out of a problem you’ve behaved yourself into. Moreover, we know from research that the credibility of business is low, and falling, and self-serving messages from big businesses during a reputational crisis are not likely to succeed. They may even backfire.

Way back in 1845, Henry Mahew penned a famous quip for Punch: “Advice to young persons about to marry – Don’t.” To paraphrase this Victorian witticism: “Advice to bankers about to suggest an image-building reputation campaign – Don’t. Please.”

Posted in Crisis management, Reputation risk | Tagged , , | Leave a comment

Crisis? What crisis? Why recognition is critical

Every organisation should know when it’s facing a crisis. Sadly, it just ain’t so, and that can be a major problem.

With the football World Cup about to begin, consider the notorious case of former FIFA President Sepp Blatter. When football’s governing body was accused of corruption way back in 2011, he famously responded: “Crisis? What is a crisis? We are not in a crisis, we are only in some difficulties and these difficulties will be solved inside our family.” Four years later, facing renewed allegations, Blatter was finally forced to resign.

A critical role for leaders is to define reality, including whether the organisation is facing a crisis. This is a genuine skill, and it requires judgement, leadership and honesty. Yet some senior executives will try to emulate FIFA and deny that a crisis is threatening or has already happened.

It’s understandable that executives may be reluctant to declare a crisis, to claim that everything is under control. Maybe it’s ‘justified’ by a desire to protect the share price or to avoid damage to reputation. But as British crisis expert Jonathan Hemus has written: “You can only begin to rebuild your reputation if you recognise you have a problem. Denial is the enemy of crisis management.”

Unfortunately it is not as simple as it seems. A crisis is pretty easy to recognise when it’s triggered by an emergency or major incident, such as a fatal mine accident or infrastructure failure or transport disaster, or warehouse fire or a product recall.

However, it’s much harder to identify when an ongoing or slowly developing problem has the potential to become a crisis, or maybe already is a crisis. Sometimes this is called a creeping crisis, such as repeated computer security breaches, persistent management misbehaviour over time, or a growing tide of customer complaints.

Take for example the infamous Ford–Firestone crisis, when more than 200 deaths were attributed to tyre failures, over half of them involving Ford SUVs. Ford CEO Jacques Nasser admitted before a Congressional committee that, despite replacing tyres overseas, Ford held off taking action in the United States “because review of its various databases assured the company there was not a problem here.” The databases might have suggested “not a problem here,” but the eventual result was one of the largest tyre recalls in history.

Or consider the Vice-President of a French airline following a plane crash which killed 87 people. Crisis authority Christophe Roux-Dufort says that, based on the fact that the morning after the accident the level of seats reserved on their flights had not changed, the airline executive asserted that it wasn’t a crisis at all.

Two separate forces are at play when senior managers attempt to deny there is a major problem. The first is a bias towards optimism – the assumption is that nothing can go wrong and success is sure to continue. The second force at play is wilful blindness – when top executives don’t or won’t hear bad news. What’s needed is open, blame-free, upward communication. In the wake of the famous Pentium chip recall crisis, Intel boss Andy Grove observed that “most CEOs are in the centre of a fortified palace.” He said he had been one of the last to understand the implications of the crisis.

Yet it shouldn’t be like that. The reality was captured in one of the most important early books on crisis management when Steven Fink wrote: “You should accept almost as a universal truth that when a crisis strikes it will be accompanied by a host of diversionary problems. As a manager, your task is to identify the real crisis.”

Posted in Crisis management, Crisis Prevention, Reputation risk | Tagged , , , , , | Leave a comment

No, Adele. Denial and obfuscation is not PR 101

Public relations and communications professionals are pretty familiar with critics who like to paint what they do as inherently dishonest. Such negativity is hardly new, and maybe it goes with the territory. But the current focus on fake news seems to have exaggerated this perception, which is a serious challenge for developing and sustaining organisational credibility.

Take investigative reporter Adele Ferguson who recently attracted attention by exposing serious shortcomings at the Australian Tax Office. It was strong reportage, but Ferguson could not resist some gratuitous editorialising.

“It seems whenever an institution gets caught in the cross-hairs of a public scandal its first response is to bury its head in the sand,” she opined.  “It is PR 101 and it’s why we have a major trust issue.”

No, Adele.  It’s not PR 101 and it’s only one reason why we have a major trust issue.  Ms Ferguson went on to suggest there is a ‘playbook’ which sets out the preferred response to any issue or reputational crisis – diminish the revelations by relegating them to a few isolated cases; sheet the incidents to the past; disparage the sources; and draw on statistics to make the scandal seem inconsequential.

There’s no denying that some organisations try this strategy.  And as our fearless reporter correctly concluded, the public can see right through it.  Furthermore, there is no disputing that reporters like Ferguson are absolutely justified to call out institutional dishonesty and spin when they see it.

However, to generalise that denial and obfuscation is PR 101 is no more accurate than saying that Journalism 101 is distort the facts; manufacture sensation; and make up quotes to suit the story. Any self-respecting journalist would rightly be offended by such an assertion. Yet some journalists seem to enjoy taking cheap pot-shots at fellow communication professionals working to manage sensitive and complex issues and crises.

In an essay for IPRA, entitled Spin City Fights Back, veteran journalist and crisis communicator Evelyn Holtzhausen wrote: “Journalists should spend more time on breaking great stories and less on berating PR for its shortcomings.”  While his essay was deliberately provocative, he was right to conclude that “slagging each other off serves no productive purpose at all.”

Nevertheless, Adele Ferguson warrants a proper response. What is the real PR 101 when it comes to managing a reputational crisis? As she would have learned at any university course or professional training, the accepted crisis communication ‘playbook’ is not at all as she imagines. While each course and textbook states it slightly differently, the essential elements remain consistent:

  • honestly state the facts as known
  • apologise
  • express empathy and
  • describe the actions being taken to put the situation right or to prevent it happening again.

Of course there is a lot more to it than that, but those should be the basic steps when an institution – as she put it – “gets caught in the cross-hairs of a public scandal.”

To state that some organisations misuse public relations to avoid facing up to a painful reality is a legitimate observation by any journalist. But to suggest – even in a casual throw-away line – that this is the standard modus operandi of responsible professionals is misleading, mischievous and just plain wrong.

Posted in Crisis management, Issue Management, Reputation risk | Tagged , , , , | Leave a comment

When a crisis strikes, the buck stops where?

In the wake of any crisis the hunt for someone to blame is nearly always successful.  Sometimes the buck stops right at the top, but does it really help to dump the CEO?

Just days after the Australian Banking Royal Commission exposed shocking financial wrongdoing at AMP, CEO Craig Meller stepped down as head of the wealth management and insurance giant (the Chairwoman of AMP  followed a week later).

Announcing his resignation, Meller insisted he did not know about the company’s misdeeds, but acknowledged that he was ultimately responsible. “As they occurred during my tenure as CEO, I believe that stepping down as CEO is an appropriate measure to begin the work that needs to be done to restore public and regulatory trust in AMP.”

It was reminiscent of the departure of Volkswagen CEO Martin Winterkorn following the carmaker’s emission-cheating scandal. “As CEO I accept responsibility for the irregularities that have been found in diesel engines  . . .  even though I am not aware of any wrongdoing on my part. Volkswagen needs a fresh start. I am clearing the way for this fresh start with my resignation.”

While both CEOs were close to retirement, the question is not did they deserve to go, but did their departure actually assist the crisis response or aid recovery, or was it largely symbolic? Was there any meaningful expected advantage for stakeholders or victims, or was it simply delivering a scalp to the angry mob baying for blood.

These are the sort of questions every company needs to resolve as part of its plan for facing a reputational crisis. Of course an entirely different set of questions arise when the CEO‘s personal actions created or triggered the problem – think no further than Travis Kalanick at Uber, or Sam Haskell at the Miss America Organization, or Alex Malley at CPA Australia, or Harvey Weinstein at the Weinstein Company. In such cases the solution is more obvious.

Meanwhile, CEO transitions in US companies are now running at the highest level for a decade. Naturally they are not all the result of scandal or wrongdoing, though forced departures are sometimes disguised with clichés such as ‘to pursue other opportunities’ or ‘spend more time with family.’ However, when there really is a crisis, one study showed that at listed companies that can’t regain pre-crisis share value, 15% of executives leave within a year. This compares with just 4% who leave companies that do recover.

While there is clearly a lot more to it than just share value, what is the right crisis response strategy? How much blame should the CEO legitimately bear? The options are pretty stark. AMP’s CEO resigned with immediate effect just days after wrongdoing was exposed.

By contrast, when a money-laundering scandal was reported at the Commonwealth Bank, the company announced in August 2017 that the CEO would leave, but only by June 2018 (He left in April 2018 with $12 million worth of stock). A third approach is for the scandal-hit organisation to allow the CEO to remain in place indefinitely to ‘help lead the recovery.’

President Truman famously had a sign on his desk saying “The Buck Stops Here.” Although that sentiment may be less visible in the current White House, the concept of ultimate executive responsibility is evidently alive and well in some Boardrooms. So, with fresh reputational crises emerging every day at the Banking Royal Commission, a central issue now is, how many CEOs (and Chairpersons) will be safe, and how many will be made to walk the plank.

Posted in Crisis management, Reputation risk | Tagged , , , , , | Leave a comment

What to do when sponsorship becomes brand risk

When Australian cricketers were caught out cheating in a match against South Africa it was undoubtedly a reputational crisis for the team, the game and its administrators. But it was also an important decision moment for the commercial organisations who sponsor the game.

Sponsors quickly and very publicly dumped the three players directly involved, with Asics declaring their actions were “not something that Asics tolerates and are contrary to the values the company stands for,” and LG saying it would only work with “ambassadors that share our core brand values.”

A more challenging issue management conundrum faced two of cricket’s highest profile commercial partners. Qantas, whose logo is prominent on the Australian team’s shirts, urged the cricket authorities to take appropriate action. But CEO Alan Joyce said the airline was “nowhere near” withdrawing sponsorship and had not threatened to do so.

By contrast, funds manager Magellan tore up its three year contract as naming rights sponsor – said to be worth $20 million – after only eight months, declaring that the ball-tampering incident was “so inconsistent with our values that we are left with no option but to terminate our ongoing partnership with Cricket Australia.”

The question is, which was the right response?

Although we’ll never know what discussion took place in the executive suite, is it wise to cloak a business decision in a message about morality?  And with the current Royal Commission into Misconduct in the Banking and Finance Industry exposing damaging revelations in the sector day after day, do the public really have an appetite for a finance company preaching about ethical behaviour?

Indeed, unnamed sources inside the Commonwealth Bank were reported saying the CBA decision to dump sponsorship of team captain Steve Smith deliberately avoided taking a “high moralistic tone” for that very reason.

Most importantly, do sponsorship decisions – to continue or to withdraw – have any long term impact?  Consider the case of Tiger Woods, caught cheating not on the game, but on his wife.  Many sponsors rushed to drop the fallen star, but Nike and EA maintained their support, despite criticism, particularly from female consumers.

A few months later, Advertising Age reported a study showing that, while Woods did major damage to his own brand, most of the brands he endorsed escaped relatively untarnished.

Furthermore, two Professors from Carnegie Mellon University later used a complex analysis related to golf ball sales to conclude that Nike was right to stand by Woods, because “even in the midst of the scandal, the overall profit was greater by $1.6 million for Nike with Tiger Woods than without him.” It was a reminder that these decisions are, to a large extent, most likely more about business than morals.

So, what to do when a sponsorship generates unwanted attention?

  • Never forget that it’s a business decision.
  • Avoid using it to make a statement about morals or values.
  • Recognise that most of your stakeholders probably don’t much care either way.
  • Do some real analysis, not just knee-jerk response.
  • Understand that you are NOT likely to be substantially punished whatever you decide.
  • Remember that media attention will quickly move on.
  • Don’t complain and don’t explain. Make a decision, then follow Nike and “Just Do It.”


Posted in Issue Management, Reputation risk | Tagged , , , | Leave a comment