I have always had one very simple piece of advice for any brand that would care to listen if it found itself in a pickle. Admit everything, do it quickly and do it wholly. Ebay is certainly a prime
example of what happens if you do not. You can momentarily forget the legal obligations it is under -- a potential fine is nothing compared to the reputational damage it has inflicted on itself.
The problem is, brands are just like celebrities -- they think they can get away with it. Or even worse, they think a little chunk of the truth is okay to release and a hungry, baying mob
won't come back to take another chunk. The truth is, they will. Once you're a big story, the only way to take the wind out of its sails is to take one massive beating, don't complain but instead
apologise, make good and move on.
My in-depth knowledge of the security breach laws isn't the best, but my understanding is that American rules are stricter. If there's a possibility that
someone's data has been compromised, a company is legally obliged to let them know. In the UK, the Information Commissioner's Office (ICO) must be informed and generally, if it is felt users were
unaffected, there is no need to inform the public. Fines for breaches in the UK are very rare, and less so in America.
However, there's no way that eBay -- obviously an American global
company -- can hide behind a report to the ICO being enough, particularly as there appears there was no such report filed. Certainly there has been no public mention of it. In fact, there
doesn't seem to be much coming from eBay at all.
When it emerged that there had been a breach at eBay it came through the news channels, not from eBay. Hence, they weren't in charge of the
messaging when we found out the breach had occurred two to three months ago and they weren't able to give a clear position on why they weren't sure what was taken. All they were left to do was to
seemingly confirm what people had found out elsewhere. A breach had occurred several months ago, nobody's sure how it happened or if anything was taken, and -- fingers crossed -- nobody appears to
have been affected.
Don't know about you, but that sounds very much like a huge organisation scratching its head, looking confused and hoping the problem will just go away. They never do,
and so now the company not only looks like it doesn't give a damn, it also looks like a fool. It's one thing to have your security breached, but to have it breached and then not know how or what the
damage was is something else.
And where's my communication from eBay? No idea what's happening with other people, but I've not been asked by them to change my password. I've had no contact
whatsoever, and this from the company that regularly keeps me up to date on email with latest bargains and offers.
The trouble for eBay is they've lost control of the messaging because they
lost sight of the customer. Keeping the customer centre stage is the first rule of digital marketing,
Not only now do security experts have a new poster boy for the damage done by a
security breach, but the digital marketers can see how much damage you can do when you forget about the customer and leave third parties to communicate your failings to them.
say IT and marketing are coming together via issues that affect both the CIO and the CMO. What a very strange way for eBay to prove it.