TRUST IS A TERRIBLE THING TO WASTE

How to Use Communications to Protect Reputation And Advance Privacy Objectives

The Panel

Joe CarberryPresident, Western RegionThe MS&L Group

Rosetta JonesHead of Issues ManagementVisa Inc.

Dave SteerDirector of MarketingCommon Sense Media

John BerardPrincipalCredible Context

I. THE STATE OF TRUST

John Berard, Credible Context

A formula for success

Security + Privacy + Performance = Trust

What the data say

We spend a lot on security

Businesses are substantially increasing their expenditure on security software, despite the economic slowdown.

Gartner (2008)

Finding #3. Yet far fewer executives areactually “cutting security back”. And amongthe half or less that are taking action, mostare taking the least dramatic response.

Global State of Information Security Survey(PwC, CIO & CSO Magazines 2010)

We talk a lot about the money we spend.

Google “IT security spending” and you get 47 million results.

Bing it and you get 36 million results

We spend a lot on product performance.

Federal research & development totaled $150 billion in 2007.

$225 billion in annual corporate research & development spending in the U.S.

Business Roundtable 2010 CEO Survey

About 200,000 new products introduced globally each year.

We talk a lot about the money we spend.

Bing “new product research and development” and you get 2.2 million results

Google it and you get 73 million results

We spend a lot on privacy.

Significant investment in privacy

Technology Compliance monitoring Data collection & handling procedures Training

We DON’T talk a lot about the money we spend.

We allow our story to be told by failures.

Since 2005, the Privacy Rights Clearinghouse says that 350 million individual records have been breached.

In the last year, according to the Identity Theft Resource Center, 6.3 million records were affected in 218 breaches.

The business effect of misuse

It costs $6.6 million on average when an organization suffers a data breach, and more than $200 per compromised record, according to a survey conducted by the Ponemon Institute.

Just as with security and performance, we can get a return on our privacy investment.

The nature of online privacy

Control, not anonymity

Reflected in the percentages About half of us Google ourselves

That’s twice what it was a few years ago But only about 3 in 100 do it regularly

60 percent of us are not worried about the volume of online information about us

More than half of us Google others Pew Internet &

American Life Project

Microsoft’s Boyd put it this way:

“When they feel as though control has been taken away from then or when they lack the control they need to do the right thing, they scream privacy foul.”

Witness: Facebook, Google

Consumer’s view

We care greatly about privacy We don’t do much about it

Pew, too

This is the opening for communications More than managing risk More than damage control

Adding an accelerant to the formula for success Security + Privacy + Performance = Trust

Public value of the investment

Communications is the key to unlocking a market return on the investment already

made.

The first question to ask is:Who are you?

II. WHEN TRUST IS BROKEN

Joe Carberry, The MS&L Group

What we’re talking about

How should I respond if/when data is misused or stolen?

1. Current Public Environment

2. Managing Through Crisis

3. Case Study Exercise

The Environment

What we’re up against…

The Risk

• Electronic data widespread in every industry

• Hundreds of publicly reported breaches; many more not disclosed

• The number of breaches continues to increase year-over-year 

• Only 36% of C-suite confident they won’t suffer breach * 

• Cost of breach now $6.6 million *

As more and more business is conducted and recorded via electronic means, risks related to data and privacy will

increase. *Ponemon Institute

The Point?

Data misuse/theft not question of “if” but “when”

Crises often happen in full view, in real time – with significant impact

More at risk in a data breach than just data

Bottom Line

“A promise must never

be broken.”- Alexander Hamilton

Managing a Breach of Trust

What Makes a Crisis?

Can be triggered by various kinds of events: Operational failures Malfeasance Human error Natural disasters Business set-backs Competitor or third-party attacks

An issue becomes a “crisis” when the organization’s business prospects are threatened in the eyes of its stakeholders

You do not define “crisis” – someone else does Crisis rule #1: somebody always find out. Always.

A Crisis Subtracts Value

Crises undermine stakeholder confidence in an organization:

Short- and long-term growth potential

Sustainable return on capital

Quality (focus) of management

Ability to manage risk to the business

Source: Adapted from McKinsey

Managing Risk

Legal Risk Patchwork quilt of state and federal regulations Litigation exposure

Protection: Sound legal counsel

Operational Risk Validate and comply with industry standards (i.e., PCI DSS) Work with appropriate vendors, technology

Protection: Ongoing diligence, best practices

Reputational Risk Reputation impacts business (customers, employees, suppliers, investors,

etc.)  Reputational risk often overlooked 

Protection: Preparation, established crisis protocols*Ponemon Institute

** Harris Interactive Poll

Who Cares?43

Local Community

Policymakers

Investors

Employees

Customers

SalesChannel

Supply Chain

Organization

On which stakeholders do you rely for success? What do they think?

What Can You Do?

1. Be Prepared Success proportionate preparation  Activate crisis response at first sign of exposure

2. Move Quickly   Early and honest communication Someone else shaping news robs you of control

3. Take Action  Work to resolve underlying issue  People perceive data as “theirs”, not the company’s  -- demonstrate stewardship Individual should remain the “north star” 

4. Be Responsible  Facing fear and suspicion – respond with transparency and responsibility Consumers will forgive mistakes, but failure to act responsibly.

Keep in Mind

Taking Responsibility

is not the same as

Taking the Blame

The Message

What stakeholders generally want to hear:

1. You’ve stopped the bleeding Make sure the problem is no longer occurring.

2. You’re making amends Take steps to address the impact among affected parties (not the same as admitting guilt).

3. It’ll never happen again Take steps to ensure similar issues don’t happen in the future.

Crisis Protocol

Stage 0: Preparation

• Risk Assessment

• Early Warning System

• Crisis/Situation Protocol

• Monitoring (especially digital)

Objective: Prepare for Action

Stage 1: Crisis Breaks

• Confirm viability of issue, pertinent details

• Assemble a Crisis Response Team

• Put in place tracking tools

Objective: Assessment & Strategy

Stage 2: Rapid Response

• Establish “War Room”

• Identify impacted stakeholders and expectations

• Disseminate info to stakeholders quickly, frequently

• Correct inaccuracies quickly

• Manage digital impact – address contagion

Objective: Take Control

Stage 3: Ongoing Crisis

• Story will evolve

• Plan for additional challenges– New information– Critics

• Catalog business remediation steps

• Countermeasures

Objective: Focus on Solutions

Stage 4: Post-Crisis

• Understand impact on stakeholders

• Explore business changes related to situation

• Examine tactics to rebuild reputation

• Conduct debrief; identify areas for improvement

Objective: Rebuild

Case Study Exercise

The Environment

Trust of large corporations is low

Security is pervasive issue in news media

Lots of online chatter about data breaches

Half of consumers cite privacy/security as a top concern

Legislators eager to protect consumers

The Situation

XYZ.Com is a major online retailer

The company has experienced a data breach Tens of millions of accounts; three years Payment information stored in violation of PCI standards Customers’ names, card numbers and expiry dates involved

Forensic investigation underway; external auditors

US Secret Service investigating

Card companies are aware; spotting fraud patterns

Stakeholders

Shareholders

Policymakers

Customers

Employees

Financial Institutions

Suppliers

Online Community

Law Enforcement

XYZ

Your Challenge

Competing stakeholder needs US Secret Service requesting delay in public disclosure Financial institutions want all available information, ASAP Federal legislators have called for immediate disclosure of all breaches Polling data show consumers want disclosure, but less likely to do

business with breached organization 30 state statutes require immediate disclosure to impacted consumers

High risk associated with disclosure Potential for brand damage with disclosure Litigation risk of disclosing Broad consumer disclosure drives customer services costs – at XYZ and

associated parties (banks)

The Wall Street Journal calls; they have the story...

What do you do?

Your Response

Who is involved? Who is most impacted? Who should be at the table internally? What do you do first? Do you disclose publicly? When and

how? What should you say? What business changes do you

recommend to management? What can you do to restore trust?

Remember…

Misuse/theft of data creates risk Breach reduces trust Lower trust impacts brand/reputation Tarnished brand/reputation harms business

Crisis response should be well planned, aligned 

This is not about “spin”

Rahm Emanuel…

“You don’t ever want a crisis to go

to waste.”

QUESTIONS?

BREAK

III. MAKING YOUR CASE

Rosetta Jones, Visa Inc.

What is Visa?

Global payments technology company

Transaction-processing network that connects cardholders, merchants and financial institutions

Credit card issuer Lender Exposed to

consumer credit risk

What We Are What We Are Not

Payments technology company that helps power the global economy.

Statistical Overview

Visa Inc. is the world’s largest retail electronic payments network, with more than $4.4 trillion transacted on our payment products over the four quarters ended Dec. 31, 2009.

Visa Confidential

Statistical data in U.S. dollars; ATMs, financial institutions and cards based on four quarters ended Sept. 30, 2009.Excludes Visa Europe, unless otherwise noted*Based on payments volume, total volume, number of transactions and number of cards in circulation. Figures are rounded.** Includes payments and cash transactions.*** As reported by client financial institutions and therefore may be subject to change; includes merchant outlets and ATMs in the Visa Europe territory.**** Includes payments and cash transactions.

Visa Inc. Operates

the world’s largest retail

electronic payments network*

1.8B

16,100

$2.8T

62B

$4.4T

1.6M

*

Payment Security = Data Privacy Cash Perceived Safest at POS Privacy/no personal information cited as leading reason

69

3.7

7.0

6.2

6.8

7.5

9.1

3.9

6.7

6.7

6.9

7.0

7.4

9.1

Mobile Phone

Debit - Signature

Debit - PIN

Personal Check

Credit Card

Pre-Paid Card

Cash

USA

Canada

I’m going to read you some ways you can pay for things at a store and please tell me how safe you think each form of payment is on a scale from 1 to 10 where 1 is not at all safe and 10 is very safe…

Even those very comfortable with emerging technology only give mobile phones a score of 4.2.

Integrating Security….

Print advertising

Integrating Security….

Brand advertising

Integrating Security….

Client Marketing

Integrating Security….

Corporate Social Responsibility

Debit Breach Response

Visa debit is fastest growing product

An integrated response program that included advertising, PR, pre and post campaign tracking, and data analysis

“Security breaks could curtail debit card use….”March 13, 2006

Security is Visa Asset

By a large margin more cardholders view Visa as a part of the solution on the issue of fraud than believe it is part of the problem.

75

80% 80% 80% 77%70%

8% 8% 9% 7% 12%43%

34% 35%29% 29%

+72 +72 +71 +70+58

CH Payment Protections

Preventing Card Fraud

Financial Privacy Security Innovation On-Line Safety

Thinking specifically about Visa, from the same list of issues please tell me whether you approve or disapprove of the job Visa is doing to handle that issue…Highlighted Data Slides

Part of the solution69%

Part of the problem19%

DK/refused12%

Visa Job Approval

Total Approve Total Disapprove Strongly Approve Net Approve

Top 10 9 List

Listen. Ask questions of key internal influencers about fears, opportunities, internal product development.

Get smart. Know who’s saying what about you outside the company and the vulnerabilities inside the company.

Start with the bottom-line; demonstrate growth opportunity

or barrier to growth that can/should be addressed.

Use reason, not passion. Only the emotion will be heard.

Be the voice of the customer.

Make it objective -- DATA, DATA, DATA.

Bring the company along.

Use the experience of the dead bodies that have forged the privacy path before you.

All else fails, fear works

123456789

IV. BUILDING TRUST

Dave Steer, Common Sense Media

What we’re talking about

How do I market trust and privacy?

1. Why privacy is important to marketers

2. What you can do to make trust and privacy a differentiator

Why is trust so important?

First, a question…

WHAT ARE THEY DOING TO BE MOST TRUSTED IN PRIVACY?

The top 11 most trusted companies for privacy

eBay

Verizon

US Postal Service

Intuit

IBM

Nationwide

USAA

WebMD

Proctor & Gamble

American Express

Hewlett PackardSource: TRUSTe/Ponemon 2009

Sometimes there is tension between marketing and privacy people

“I just want to be able to better target our message to the right consumer”

“This will make for a better customer experience since they’ll only see what’s important to them”

“Telling them about our policies is a distraction. It should be about our product benefits.”

But trust is vital for marketers.

Trust = Brand Advantage

Privacy creates an opportunity for a trusted relationship with consumers which enables companies to differentiate their brands

“The Great Trust Offensive”

“…trust is the number one driver of any brand at the most fundamental level.

We buy what we trust and keep buying; familiarity and trust are big, big drivers of loyalty and brand value.”

Andy Bates, CEO, Interbrand

But with privacy, it’s complicated

Which is why most companies play defense

“I can’t help noticing that more and more technology companies are exposing people’s information publicly and then backpedaling a few weeks out.”

danah boyd, Harvard Berkman Center

Building trust

Brands focus on building credibility

The Credibility Lifecycle

Source: Stanford, B.J. Fogg, 2002

A ‘trust lens’ of messaging & programs

Source: Stanford, B.J. Fogg, 2002

Support: ‘Being there’ when something goes wrong.

Reassurance: Show the protections that are in place, the company, what others say, etc.

Education: Enable people to protect themselves, show what you are doing

89

So, how can you build trust?

1. LISTEN TO your customers and embrace two-way communication

The proposed Facebook privacy policy received thousands of comments

2. Have a clear, compelling message

Start by answering these questions… Who is the target audience? What is your single key message? What is the benefit of your privacy program? Why should they care? What are the barriers to them understanding

your message

The toughest part is balancing simplicity with

transparency

3. BUILD privacy messaging into the EXPERIENCE

Ads & PR & WOM

Home page

Registration

Transaction

Post transaction

Ongoing loyalty

A typical customer experience

What privacy questions will they ask?When will they ask?

How can you reassure, support, and educate?

4. Educate, educate, educate About safe, responsible BEHAVIOR About safe uses of your PRODUCT

4. Safe, responsible behaviors…

4. PRODUCT safety

5. Tell people what you’re doing to protect them

Summing it up

1. Listen to your customers – and embrace 2-way communication

2. Develop a clear, compelling message3. Build privacy messaging and support

into the brand experience4. Educate, educate, educate5. Tell them how you are protecting them

Remember

Trust = Brand AdvantagePrivacy creates an opportunity for a trusted relationship with consumers which enables companies to differentiate their brands

V. PUTTING IT ALL TOGETHER

John Berard, Credible Context

Bringing it all together

Security + Privacy + Performance = TrustTrust = Brand Advantage

THANK YOU.

The Panel

Joe CarberryPresidentWestern U.S. Region415.293.2805joe.carberry@mslworldwide.com

Rosetta JonesHead of Issues ManagementVisa Inc.704.444.3815rjones@visa.com

Dave SteerDirector of MarketingCommon Sense Media415.845.5110dsteer@commonsensemedia.orgwww.steermarketing.netwww.twitter.com/steerdave

John BerardPrincipleCredible Context415.845.4388john@crediblecontext.com