• United States




Crisis Management or lack thereof

Feb 01, 20073 mins
Data and Information Security

I’m struck by how poorly many leading businesses deal with a crisis situation. Case in point: the data breach at The TJX companies.  This will, no doubt, become a great case study in how NOT to respond to a crisis.

For those of you who may have missed the media frenzy around this , TJX is the parent company of a number of major retailers including TJ Maxx, Marshalls, HomeGoods, Bob’s Stores and AJ Wright. According to the initial statement issued by the company in mid-December they discovered an unauthorized intrusion into their computer systems that process and store information related to customer transactions. Apparently we are talking about millions of records compromised. Their investigation leads them to believe that the intrusions continued from May 2006 to December 2006. They then, apparently at the behest of law enforcement, kept the discovery under wraps until mid-January while they investigated the theft and strengthened their security. From where I sit, that was, in general, a good move.

Where the whole process has broken down completely was is the public response from the company…and they are already feeling the fallout. When they went public they did so through a statement posted on their website. Calls to the company garnered “no comments”. When the weight of the media really began to descend upon them they took out full page ads in newspapers explaining what happened, and then put a video of their Chairman on their website.  Maybe I missed it but I have yet to see a live person from TJX comment on this crisis. When asked if they would offer credit-monitoring services to those customers that were affected, they refused claiming it was not necessary.

The result of their communication efforts currently stands at three pending class-action lawsuits from consumers and banks seeking reimbursement for the cost of issuing new credit cards to their customers; credit card fraud resulting from stolen data popping up around the world; and, their stock value has taken a hit as well…not huge, but a hit nonetheless.

There are lots of lessons to learn here and more to come as this story continues to unfold. The most important thing that I note is that TJX’s failure to get out in front of the problem and manage the public communication more effectively has allowed others to define the issue for them. In a crisis you can never let that happen. Their failure to address the issue head on makes people think they are hiding something. Crisis communications requires two things: a crisis, which they have, and communication, which they don’t.  Until they get on the stick their problems will continue to mount.