A data breach at Target is eerily close to a fictional scenario that I created for an HBR case study a few years back: Boss, I Think Someone Stole Our Customer Data. I’ve written about it again for HBR in light of recent events. Before today’s story that revealed the breach, the decisions around disclosure were being made based on requirements in individual states.
The question of what to tell customers and when are legitimate ones. While a first gut reaction may be that you have to alert everyone. However, if the damage has been contained and the consumer will bear no cost for fraudulent activity, do you really want millions of people to have to replace their credit cards just before Christmas? Law enforcement may also want to let activity go on for a bit so that they can better trace the culprits.
This kind of data breach poses a thorny ethical and economic decision for executives. Personally, I would vote for full disclosure but I can see the validity of the other argument. Yes, there would be an enormous financial hit. I believe that coming clean and owning the incident is the first step to rebuilding brand trust that results from the breach. Remember tainted Tylenol. What do you think?