What happens to executives of retail companies such as Wawa Inc. when they acknowledge a data breach that exposed customer data that should have stayed private?
In early 2014, giant retailer Target Corp. set an example that is still cited by corporate security professionals.
7073彩票登录 First, the chain acknowledged a data breach had exposed 40 million credit and debit card holders’ names and account numbers to criminals over the previous three weeks. Three weeks later, the company admitted hackers had also picked up personal information: phone numbers, addresses, and emails of 70 million Target customers.
7073彩票登录 That March, the company’s chief information officer, responsible for data and computer systems, The company also started searching for a new security chief, and a new compliance boss.
7073彩票登录 Next, Target chief executive Gregg Steinhafel, who had spent 35 years with the company, took personal responsibility for the data breach, and stepped down from the top office. Target said the data breach cost it in 2013-14. The company later paid to settle private and state legal claims from the data breach.
7073彩票登录 Target said its data breach had lasted three weeks. Wawa admitted its data was exposed by malware for nine months — March to December. Wawa says credit and debit card information was exposed to criminals, but not detailed personal information.
Wawa has not announced any changes at the top so far. Chris Gheysens7073彩票登录, a Wawa lifer who rose through the accounting department, is Wawa’s chief executive. Chief information officer is John Collier, who joined the company in 2016, after serving in a similar capacity at TracFone Wireless and in software architect jobs at Walmart and Bank of America.
7073彩票登录 Unlike Target, Wawa is a private company, owned partly by executives like Gheysens, partly by members of the founding Wood family and their du Pont cousins, and partly by thousands of Wawa employees who are given shares as a retirement savings plan.
The chairman of its board of directors, whose job includes overseeing the CEO, is founding-family heir Richard D. Wood Jr. He has held the chairman job since retiring as CEO in 2004, and has presided over the board during the period of Wawa’s rapid growth from a regional cokes-smokes-milk-and-hoagies chain to a convenience store and gasoline outlet with more than $12 billion in annual sales at 850 stores from New Jersey to Florida.
7073彩票登录 Target, as a publicly traded company, was required by U.S. securities law to announce its data breach if it believed the resulting losses could materially affect the company’s profitability. Also, as a company it was required to tell customers in the most populous U.S. state when their “unencrypted personal information” had been “acquired, or reasonably believed to have been acquired, by an unauthorized person,” whether or not the company believed that customers had suffered a loss.
7073彩票登录 Wawa, as a private company, has fewer investor disclosure requirements. And Pennsylvania, where Wawa is based, has a more conditional data breach notification requirement: A company has to tell customers when it decides the loss of personal information is likely to " — which potentially gave Wawa more time to delay disclosure, according to a data-management company founder who asked that he not be identified by name because he has business ties to Wawa.
Even with delayed discovery and disclosure, a massive data breach is time for a board to review management closely, the executive added. “Wawa is a digital company, like everyone else," he said. “When you have a data breach like this, there is usually a failure, either in management, or in the quality of security.”
7073彩票登录 Which “doesn’t necessarily mean its CEO has to go,” he added. If Wawa was paying top dollar for state-of-the-art security systems that were poorly implemented, that will place pressure on the company to reconsider its tech approach. On the other hand, if a review found the company hadn’t been spending enough on tech and security, Gheysens as CEO would expect to face especially tough questions.
7073彩票登录 Either way, “they have to pay a lot more for security now — a great CIO, a great security head, best-in-class outsourcing, along with appropriate spend — because they can’t afford to let this happen again."
7073彩票登录 “Where were the inside and outside auditors?” asked the head of a financial software company who asked not to be identified because his clients include Wawa service providers. “They are required to report regularly on these issues, system resiliency, regulatory compliance, et cetera. Our board meetings are mainly about these issues. After Target and all the others, I would think every board and their auditors are very sensitive to these issues.”
Wawa’s failure to catch the problem earlier naturally raises the question of “endemic governance challenges,” he added. “Nine months is way too long. And their response to date has been tepid. Like out of an old public relations manual. They need to be as aggressive in this as they are in selling hoagies.”
I ran that by Tony DeFazio, a Philadelphia (updated 1/6/20)7073彩票登录 communications consultant who has written on the theme of customer trust.
“The [Wawa] brand is to treat customers like family and friends, like a community partner,” DeFazio noted. He said it seemed to him that Wawa’s initial reliance on a press release and the by-now-familiar offer of a free credit report for affected customers appears "a little impersonal and a little reactive.”
7073彩票登录 DeFazio Communications counted more than 200,000 media mentions of the data breach in the days after Wawa disclosed it. DeFazio said he was surprised Wawa didn’t use such tools as mass emails, 7073彩票登录 Live, or posted a Gheysens Q&A, suitably vetted by lawyers, as ways to respond to concerned customers with the usual Wawa “human touch.”