Convenience stores should incorporate data violations into their operational crisis response plans.
By Pat Pape, Contributing Editor
Crises in business are common. They range from public management blunders and workplace crime to employee dissent and data breaches. One of the best things a retail management team can do to handle these problems is to prepare for all potential pitfalls long before they occur.
QuikTrip, the convenience chain with headquarters in Tulsa, Okla., has developed a response plan for every possible situation that could go awry in the company’s 700-plus store chain. And that includes a data breach.
“We have a crisis manual with a response for hopefully every conceivable possibility out there,” said Mike Thornbrugh, QuikTrip’s public affairs manager. “And we’re constantly reviewing it to see if there need to be changes or if there’s something we can do to enhance the process.”
PLAN FOR DISASTER
At one time, a data breach was a serious technology issue, but today a breach is about much more, including your company image, your legal responsibilities and your customers’ confidence in your brand. Should a breach occur, relying only on your instincts to manage a calamity that could expose the personal financial records of thousands of customers is fraught with danger.
That’s why every company should have a plan in place to cover all potential catastrophes.
“If you don’t have a plan, you’re like a football team that makes up the plays when they run out on the field,” said Jim Haggerty, a New York attorney and crisis communications consultant. “You must have some sense about exactly what you’re going to say [publicly],” said Haggerty, whose book Chief Crisis Officer will be published in the spring by Ankerwycke Books. “The first thing is to figure out who is on the company’s team that makes those decisions. It’s not great to be making up this stuff on the run.”
Haggerty believes the crisis team should be appointed and organized long before trouble strikes. Its first assignment is to determine appropriate responses to different problems, such as a breach. Should you be unfortunate enough to have data stolen by hackers, “you have to have accurate information about exactly what is going on,” Haggerty said. “And I’ve learned that the information you get at the beginning of a crisis is, by and large, wrong.”
There are several reasons that early intelligence about a crisis situation can be distorted.
“It’s very stressful for the company employees involved,” Haggerty said. “It may impact their job, and they may look at things from that perspective. You need a direct flow of information from the scene. You need to get the right people in there to get a clear sense of what is going on.”
Every organization wants to protect its hard-earned reputation, and the natural tendency is to keep quiet about a company problem. However, past crisis situations have demonstrated that publicly acknowledging a breach or other disaster in a timely, responsible manner actually enhances the company’s image.
“Even if you don’t exactly know what going on, people want to feel that it’s not spinning out of control,” Haggerty said. “You can say ‘We don’t have the all details, but we have people on the scene. We’ll let the public know as soon as we have that information.’ That goes a long way toward reassuring the public.”
ALONE ON A SHELF
Often a company will work hard to create a formal crisis plan and then leave it sitting on a shelf to gather dust. And no one looks at it again.
“People in companies change positions, and even their cell phone and contact numbers change if they remain in their position,” said Troy Leach, chief technology officer for the PCI Security Standards Council. “I’ve heard stories about a company that did have a response plan, but when they needed it, it was useless. Phone numbers had changed. The network had changed. And, some people [listed in the plan] had left the organization. That’s why it’s critical to always be updating and reviewing it.”
An organization’s response plan must be more than a written document. “It needs to be an active plan that you use to train your staff,” Leach said. “And you need to have people identified 24/7 who can respond to things that happen in the middle of the night.”
Don’t forget those third-parties who have an interest in the crisis. “They should be part of the plan,” he added. “They need to be as prepared as the retailer themselves if an incident occurs.”
MANAGE YOUR DATA
Sinclair Oil Corp. of Salt Lake City serves 1,600 convenience stores with Sinclair-branded fuel. Although the company does not keep customer credit-card information in its data base, it still maintains a crisis response plan in the event of a breach.
“It’s pretty hard to be breached when you have nothing to take,” said Russell Gibson, marketing manager of technical services for Sinclair. “The information we receive has only the type of credit card type, such as Visa, and the last four numbers of the card. There is an authorization number, the amount of the transaction and product purchased, such as the number of unleaded gallons. But there is no customer name or card expiration date. We still protect our own servers because we have employee data that we don’t want stolen, but our servers contain no credit card data.”
For the next several years, expect all data breaches to be compared to the infamous Target breach in late 2013. After hackers cracked into its network, Target officials admitted its computer security systems had alerted them to suspicious activity, but the alert was ignored.
“There is just so much data we collect that comes through our networks that sometimes it’s hard to know what is critical,” said Leach. “That’s why the PCI Council promotes standards and best practices. You must be able to monitor those alerts that could have an impact on your systems.”
STILL A PROBLEM
Despite all the publicity about the new EMV credit cards that have additional consumer protection measures in place, skimming off gasoline card-readers and stealing cardholder data remains a big concern.
“We’ve seen incidents in metropolitan areas— Las Vegas more than most places—and rural areas,” Gibson said. “It’s not unusual to find skimmers at unattended locations, such as commercial locations or at fuel distributors that accept a lot of fleet cards.”
Data breaches will continue as long as criminals are able to profit from stolen credit-card data.
“We need to find ways to devalue card-holder data,” said Haggerty. “We need to eliminate data as soon as it enters a system. We must find ways to minimize how that information can be stolen and then sold on the black market, and we must raise awareness that information doesn’t need to be stored. This would help minimize the potential threat.”
Well-thought-out response plans have helped many companies successfully navigate a crisis. But the public never hears about those situations.
“The successful stories are the ones we should be recognizing,” Leach said. “But the stories of incident response plans that work never make the paper. And, that’s the ultimate goal.”
