Apr 7 2009 7:17PM GMT
Posted by: Jack Danahy
There is no more critical component to an organization’s capacity for trust than reputation.
Whether choosing to hand them money, customer information or your own health, the reputation of a prospective bank, partner, or hospital will likely be the reason you consider, choose or cut the organization out of contention.
Consider the announcement in January 2009 of a breach at Heartland Payment Systems. Since that story broke, there has been a continuing stream of news on the topic that keeps both Heartland and the breach in the headlines. This ripple effect from the original event deserves consideration by other organizations as they make their own decisions regarding risk, investment, consequences and policy.
To understand how broad the impact has been, I thought it would be useful to use Google to simply look up “Heartland Payment Systems” and see what kind of exposure this single breach was enjoying now, almost three months after the original announcement by Heartland.
The output is pretty illuminating. As one would expect, the first natural topic is the corporate website. Beyond this, it goes downhill pretty fast. Of the remaining nine items in the natural search list, with the exception of a pointer to a secondary company site and the company’s Hoovers listing, everything relates to the breach. That’s a pretty high percentage.
By way of description, the second item is a website, www.2008breach.com, which is registered to Heartland Payment Systems, on which is a statement from Heartland CEO Robert O. Carr about the breach and about Heartland’s continued role as a payment processor. Mr. Carr also draws attention to the fact that some competitors had been misrepresenting the actual meaning of the announcement by Visa that they had removed Heartland from the PCI-compliant vendors list. This type of disclosure and investment in educating potential victims is laudable, but querying for a vendor and having the second item have “breach” in the URL would likely be a warning flag to someone trying to learn about Heartland.
The other items in the natural list point to articles relating to various writers’ viewpoints on the breach. While some are more objective than others, the actual topics are much broader than I would have suspected:
- Three of the articles are pretty straight news stories on the breach including the idea that it may be the largest breach in history.
- One is a news story on a class action lawsuit that “seeks actual and punitive damages for allegations of negligence and breach of duty.”
- One describes the author’s view that Heartland attempted to hide the “Largest Data Breach in History.”
- One describes the “Big Breach and Lame PR Tactic.”
- One claims that Heartland “Uncovers Malicious Software in its Systems.”
So, what does all this mean? I, for one, am not suggesting that all of this content is correct, or that Heartland does not deserve the opportunity to address any issues and continue on with their business. My point is that reputation is a critical, yet fragile thing. Building it and defending it are not small tasks, and a fall from favor can be swift and absolute.
It should also be noted that three advertisements arrived in the right-hand column of the Google results window when searching for “Heartland Payment Systems.”
- One is for point-of-sale systems for retail use.
- One is a recruiting advertisement for people who want to sell point-of-sale systems.
- The last is from the firm of KaplanFox, who claimed to be investigating “Possible Securities Fraud by Heartland.”
Even the targeted advertisements promote a difficult message for Heartland.
All of this ties directly into managing risk. Since reputation is an invaluable asset to any organization, protecting it with sufficient resources and rigor seems reasonable. Rebuilding a tarnished reputation after a breach will require efforts along all of the avenues cited above, and is always much more difficult than creating it in the first place, because breaches result in headlines that are free, interesting, popular media, while fixes and cleanup result in little beyond whitepapers, which are costly and unpopular media. There was not a single positive article, review or news item on the first full page of results.
From this event and countless others that one can find, the link is clear between reputation and the trusted data that is received from customers and partners. This creates the real requirement that organizations do a comprehensive job of ensuring that data will be protected, and that systems are in place to minimize the risk and impact of any possible breach. Optimally, organizations should mitigate the risk before something bad happens. Not knowing how to do it or where to start is no longer an excuse. It is time to take action.
As a first step, I recommend that you take a step back and better understand what it is that you are protecting. Before you buy any product to help with this, even ours, it is most important to understand how you can use a product to help you. With the proliferation of malware and hacking activity out there, and the obvious toll that breaches take, it is only a matter of time before short-range savings might be wiped out by staggering, breach-related costs.