Boss, I Think Someone Stole Our Customer Data (Commentary for HBR Case Study)

Flayton Electronics is showing up as a common point of purchase for a large number of fraudulent credit card transactions. It's not clear how responsible the company and its less than airtight systems are for the apparent data breach. Law enforcement wants Flayton to stay mute for now, but customers have come to respect this firm for its straight talk and square deals. A hard-earned reputation is at stake, and the path to preserving it is difficult to see. Four experts comment on this fictional case study in R0709A and R0709Z. James E. Lee, of ChoicePoint, offers lessons from his firm's experience with a large-scale fraud scheme. He advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy. Bill Boni, of Motorola, stresses prevention: comprehensive risk management for data, full compliance with payment card industry standards, and putting digital experts on staff. For the inadequately prepared Flayton, he suggests consulting an established model response plan and making preservation of the firm's reputation its top priority. John Philip Coghlan, formerly of Visa USA, discusses the often-divergent positions of data-breach stakeholders and puts customers' interests first. Swift disclosure by Flayton, he argues, would empower consumers to protect themselves against further fraud and might even enhance the company's reputation for honesty. Jay Foley, of the Identity Theft Resource Center, recommends that Flayton emphasize quality of communication over speed of delivery. More broadly, he advocates cautious management to prevent data thefts, which are proliferating and could have long-term consequences.

• IT management
• Crisis management
• Cybersecurity and digital privacy
• Service management