Target as Target
After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.
However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.
In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.
Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.
“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.
Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.
“I would still say it’s so much better to get it right the first time,” he said.
Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.
Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.
In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”
A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:
Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”
Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.
“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.
Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.
Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.
“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.
As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.
But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.
“Those are the ones where the trust has really been lost,” Korschun said.
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
No One Here Gets Out Alive
All is not well in the home of Gretchen and Peter Mansfield. Gretchen, 41 is a sales manager for Durham, N.C.-based pharmaceutical manufacturer BioRealm. Her husband Peter, 44, lost his sales job in mid-2015 and insecurity has been eating away at him.
A big part of Gretchen’s job is working with BioRealm’s SVP for sales, Brian Hatch, 35. Fit, good looking and very well compensated, Brian is Peter’s current nightmare.
Brian and Gretchen spend a lot of time traveling together, sometimes staying in the same hotel for days at a time. Peter, always the jealous sort, stole Gretchen’s work email password long ago and has been following her every move.
He’s read emails between Gretchen and Brian that left no doubt in Peter’s mind they were having an affair.
The last straw was when he picked up a voicemail from Brian that went direct to Gretchen’s email. Hearing Brian describe what he’d like to do with Gretchen the next time he saw her sent Peter over the edge.
At 11:10 am on September 15, 2015, Peter parked his family’s SUV in the parking lot of the Durham location of BioRealm.
From the open windows of the car, Metallica’s “For Whom the Bell Tolls” was blaring.
Peter wore a two-day beard, but there was nothing else in his appearance to warrant alarm.
As he walked to the front door, carrying a large black gym bag and a vinyl grocery bag, he caught the eye of Sandy Brick, Gretchen’s friend and coworker, whom he’d known for years.
Sandy always liked Peter.
“Hey Sandy,” said Peter with a smile.
He was in sales for years. He can do this.
“Hey Peter, what brings you here?” said Sandy.
“Gretchen forgot her lunch bag and her gym bag,” said Peter affably, smiling and holding up the gym bag as he did so.
He did this just as Sandy reached the front door. Not giving her action a second thought, Sandy swiped her security card to open the front door and allowed Peter in ahead of her.
“You know where Gretchen’s office is, right?” Sandy said.
“Sure I do,” said Peter with a smile that faded a little too quickly.
But instead of heading toward Gretchen’s office, Peter made a beeline for Brian’s office, in the opposite direction.
Peter half-jogged to Brian’s office pulling a Glock 9 mm handgun with a 12-round magazine from the grocery bag and an AK-101 with a 30-round clip from the gym bag.
Approaching Brian’s office, he heard his voice, that same confident baritone that Peter last heard on Gretchen’s voicemail. Peter’s rage went from burning red to white hot.
Now running, Peter burst into Brian’s office and shot him three times in the head with the Glock. Peter bit completely through his lower lip as he shot Brian, so intense was his anger.
Not knowing exactly what they heard, BioRealm employees turned their heads to see Peter, with blood running from his mouth, leaving Brian’s office holding the handgun and the assault rifle and heading toward Gretchen’s office.
Now it’s clear what’s happening. Screams begin to rise from the cubicles.
“He’s going for Gretchen!” a woman shouted.
Two men rushed Peter and he shot them down with a burst from the AK-101.
Gretchen poked her head out of her office at the sound of the second round of shots. She saw Peter coming at her. But it wasn’t like it was him at all.
His face was a grey mask and his pupils were pinpoints.
Gretchen’s right hand went up reflexively as Peter fired a 9 mm bullet through her hand and into her temple. Peter fired again and again, some of the bullets hitting Gretchen’s falling body and some of them ricocheting off of office fixtures.
In a half-jog, wiping spasmodically at his bleeding mouth, Peter moved back to the front door.
People attempting to flee the building scattered as he approached. Peter fired with the AK-101 as he neared the front door, striking at least half a dozen people as those more fortunate fled in a different direction.
The exit door was streaked with blood. A woman with sandy hair was propped against the door, dead.
Peter grabbed her by the hair and tossed her aside to clear his exit. The door wouldn’t budge. So he shot the latch to pieces with the AK-101.
Peter walked out to the parking lot, placed the muzzle of the Glock in his mouth and pulled the trigger. Blood splattered on the BioRealm sign adjacent to the front door.
Peter Mansfield’s final visit to BioRealm lasted all of three minutes and 25 seconds.
Falling Short of Competence
BioRealm prided itself on having a state-of-the art emergency response and security system. In the wake of numerous office shootings throughout the country, the company installed swipe card security six months before Peter Mansfield’s shooting rampage.
Within 10 minutes of the attack, a text alert was sent to all BioRealm employees and their preferred emergency contacts informing them of the incident.
The text informed BioRealm employees to punch in a code number to let the system know they were safe and sound.
The text lacked specific detail, however, only informing employees and next of kin that an incident had occurred at the Durham campus and that BioRealm was working with local authorities to resolve any issues.
The texting system also failed to take into account any employees that might have gone into hiding when Peter Mansfield first opened fire.
Peter shot Brian Hatch down at 11:12 am.
At 1:10 pm, Angela Brighton, an event planner who assisted the BioRealm sales team, was still hunkered down in a utility closet on the first floor of the Durham offices. When the shooting started, Angela fled for cover, not having time to take her cell phone with her.
In her haste to pull the closet door shut, Angela lacerated her shin against the edge of a mop bucket. Traumatized and now dehydrated, Angela finally burst out of the closet at 1:15 p.m., overcome by claustrophobia and pain and crying hysterically. The building by then had been evacuated.
Angela suffered the surreal experience of walking thorough the BioRealm offices, seemingly by herself. In her shock, she saw a smear of blood on a corridor wall, and traced it with her finger, as if to confirm for herself that it was real.
The first person she encountered was a County Police Lieutenant, who looked at her in shock when he saw her.
“Ma’am, have you been in here the whole time?” the Police Lieutenant asked her.
“Nobody….nobody said anything,” Angela said, visibly distraught. “Nobody came looking for me. It’s like I don’t exist,” she said, clearly off-center.
Quickly, the Lieutenant got her a seat and ordered medical attention for her via walkie-talkie. No sooner did he have her seated when Gabe Crooks, an intern from Duke, walked up.
“I was in a second floor bathroom,” Crooks told the Lieutenant. Crooks was less visibly shaken than Brighton, but he was clearly upset.
“I’d like to go home now,” he told the Lieutenant.
In a nearby hotel conference room, BioRealm risk manager Nathalie Galbreath, company CEO Keith Ryerson and chief communications officer Roger Blinton were huddled over scratch pads, cell phones and laptops.
“How many are still unaccounted for?” Ryerson asked Galbreath.
“My latest information is five,” Galbreath said.
“That’s five employees that aren’t in the time and attendance system as being on business travel or vacation and who haven’t responded to the emergency text.”
“Dead and injured, again?” Ryerson asked Galbreath.
“Seven dead, four injured, one critically.”
“Text the families of the missing again,” Ryerson told Blinton. “Let them know that we’re still working with authorities to find their relatives.”
“Text them?” Blinton asked.
“Yep. Do it. It’s the fastest way to get to them,” Ryerson said.
Blinton gave Galbreath a look and then turned away to start texting.
The swirl of events continued.
Social media was alive with cell-phone footage of Peter Mansfield’s exit from the BioRealm offices, when he heartlessly yanked a dead woman’s body from the door and shot his way out.
A gutsy BioRealm intern somehow managed to follow him to the door, shooting video with her phone. She posted the video to Facebook within ten minutes of Peter’s death.
BioRealm’s attempts to comfort bereaved families and provide information to others continued to fall short.
Four hours after the incident, no BioRealm employee had reached out to families in person to tell them what was going on. Contrasting this failure was the excellent effort put out by local emergency responders, who placed personal calls to the homes of every dead or injured employee.
With frustration against BioRealm building to a peak, the grieving sister of a slain employee became outraged when BioRealm couldn’t give her a solid answer as to when she’d be able to enter the building to collect his belongings.
“What do you mean you can’t answer that?” she screamed at a BioRealm employee outside the Durham offices as television cameras recorded the moment.
“My brother is dead! Answer me!” she screamed as the employee, rattled, turned his back on her and headed back into the building, all the while on camera.
Television news producers edit the blood-spattered BioRealm sign into their coverage.
It took BioRealm executives until noon the following day to determine that their time and attendance system malfunctioned and that the five “missing” employees were actually in the building at the time the shooting occurred and had fled to their homes.
None of the five ever came back to work for BioRealm.
No Quarter Asked or Given
BioRealm were prepared for an active shooter scenario, or so they thought. There was the aforementioned addition of swipe card security. The company was also banking on its text messaging system to get crucial information out to friends and family in a timely manner.
The company had created an evacuation plan and an emergency communications plan in case of an extreme weather event or some other catastrophe. The actual event, someone’s spouse entering the building and killing people, simply overwhelmed all preparations.
BioRealm’s risk management and emergency response management failures would prove costly in human and financial terms.
Keith Ryerson’s inability to realize the importance of speaking directly to employees and their families on the most notorious day in his company’s existence did not play well.
Coupled with the results of investigations that reported that BioRealm failed to adhere to its own crisis response policies, families that felt their loved ones were killed or injured due to corporate security laxity filed suit.
Also filing suit were 25 BioRealm employees who left the company after the shooting. They alleged that the company’s emergency management training and security measures were inadequate.
Included in that class of litigants were Angela Brighton and Gabe Brooks, the two employees who were left behind the day of the shooting.
“Let me get this straight. Nobody made any attempt other than a text message to reach you and no one came looking for you,” one of the attorneys handling the lawsuit asked Brighton and Brooks.
“No one,” Brighton said.
“No one, means no one,” said Brooks, whose usually sunny disposition was under a very dark cloud.
“Who allows a non-employee to enter a supposedly secure building carrying a heavy black bag?” another attorney representing the employees in the lawsuit said to one of his colleagues as they prepared their brief.
The reputational harm caused by social media sharing of the Peter Mansfield shooting video, plus the images of a BioRealm employee turning his back on a grieving family member also wouldn’t go away.
“We’re going to have to up investments in security,” Nathalie Galbreath told Keith Ryerson in a meeting two months after the shooting.
“I’m talking metal detectors on every door and armed security guards. I think it’s the only way we’re going to get any sense of stability in our workplace,” she added.
“Do you know what our legal bill is already from this?” Keith Ryerson said to her.
“Um, no, I don’t know what it is,” Nathalie said, not feeling very patient.
“How about $650,000 and we’re not even at trial with any one of five lawsuits?” Keith said.
Keith Ryerson put his head in his hands.
“Go ahead,” he said.
“Go ahead what?” Nathalie said, sharing his exhaustion and depression.
“Go ahead and order the metal detectors, order the guards,” Keith said weakly.
Risk & Insurance® partnered with Black Swan Solutions to produce this scenario. Below are Black Swan Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.
1. Crisis Response and Business Continuity plans must coordinate with community police, fire and emergency medical agencies. In addition, pre-establish coordination with a local chapter of the Red Cross. All organizations rely on community responders to assist in a crisis. Yet most never proactively involve these same agencies in plan development and testing. If a crisis occurs, this can result in significant challenges related to cooperation and coordination.
2. Have a plan for testing, shelter in place and evacuation processes including a reliable means to account for every employee on premise at the time of the event. This information will also be invaluable for first responders involved in the search and rescue effort.
3. Have a secure centralized database for up to date information. This will allow for timely and accurate notifications to stakeholders.
4. Consider contracting with a specialized crisis call center to ensure you have a plan in place to accommodate mass inquires while providing a professional and compassionate response. Families will expect your organization to provide timely information and account for their loved ones who may have been affected by the crisis. The volume of inquiries and requests for information will often overwhelm your expectations and capabilities to respond.
5. Difficult news must be delivered personally. If the news is not good, make the effort to say it either in person or on the telephone – don’t text it. Realizing you have to use the tools and contact information you have, do your best to connect on a personal level, no matter how challenging, when you must deliver bad news.
6. Prior to a crisis, identify and train organizational personnel who will interface with victims and families in a critical event. Understand the importance of self-care for those involved in responding to the incident and debrief them at the end of every shift. Consider contracting with an organization to provide specialized training, as well as to provide guidance and support to those employees during the crisis.
7. Pre-consider strategies for establishing a family assistance center, typically at a hotel, where victim families can gather to obtain information and receive emotional support and psychological first aid. Families also have an opportunity to obtain information from responding authorities.
6 Truths about Predictive Analytics
Predictive data analytics is coming out of the shadows to change the course of claims management.
But along with the real benefits of this new technology comes a lot of hype and misinformation.
A new approach, ACE 4D, provides the tools and expertise to capture, analyze and leverage both structured and unstructured claims data. The former is what the industry is used to – the traditional line-item views of claims as they progress. The latter, comprises the vital information that does not fit neatly into the rows and columns of a traditional spreadsheet or database, such as claim adjuster notes.
ACE’s recently published whitepaper, “ACE 4D: Power of Predictive Analytics” provides an in-depth perspective on how to leverage predictive analytics to improve claims outcomes.
Below are 6 key insights that are highlighted in the paper:
1) Why is predictive analytics important to claims management?
Because it finds relationships in data that achieve a more complete picture of a claim, guiding better decisions around its management.
The typical workers’ compensation claim involves an enormous volume of disparate data that accumulates as the claim progresses. Making sense of it all for decision-making purposes can be extremely challenging, given the sheer complexity of the data that includes incident descriptions, doctor visits, medications, personal information, medical records, etc.
Predictive analytics alters this paradigm, offering the means to distill and assess all the aforementioned claims information. Such analytical tools can, for instance, identify previously unrecognized potential claims severity and the relevant contributing factors. Having this information in hand early in the claims process, a claims professional can take deliberate actions to more effectively manage the claim and potentially reduce or mitigate the claim exposures.
2) Unstructured data is vital
The industry has long relied on structured data to make business decisions. But, unstructured data like claim adjuster notes can be an equally important source of claims intelligence. The difficulty in the past has been the preparation and analysis of this fast-growing source of information.
Often buried within a claim adjuster’s notes are nuggets of information that can guide better treatment of the claimant or suggest actions that might lower associated claim costs. Adjusters routinely compile these notes from the initial investigation of the claim through subsequent medical reports, legal notifications, and conversations with the employer and claimant. This unstructured data, for example, may indicate that a claimant continually comments about a high level of pain.
With ACE 4D, the model determines the relationship between the number of times the word appears and the likely severity of the claim. Similarly, the notes may disclose a claimant’s diabetic condition (or other health-related issue), unknown at the time of the claim filing but voluntarily disclosed by the claimant in conversation with the adjuster. These insights are vital to evolving management strategies and improving a claim’s outcome.
3) Insights come from careful analysis
Predictive analytics will help identify claim characteristics that drive exposure. These characteristics coupled with claims handling experience create the opportunity to change the course of a claim.
To test the efficacy of the actions implemented, a before-after impact assessment serves as a measurement tool. Otherwise, how else can program stakeholders be sure that the actions that were taken actually achieved the desired effects?
Say certain claim management interventions are proposed to reduce the duration of a particular claim. One way to test this hypothesis is to go back in time and evaluate the interventions against previous claim experience. In other words, how does the intervention group of claims compare to the claims that would have been intervened on in the past had the model been in place?
An analogy to this past-present analysis is the insight that a pharmaceutical trial captures through the use of a placebo and an actual drug, but instead of the two approaches running at the same time, the placebo group is based on historical experience.
4) Making data actionable
Information is everything in business. But, unless it is given to applicable decision-makers on a timely basis for purposeful actions, information becomes stale and of little utility. Even worse, it may direct bad decisions.
For claims data to have value as actionable information, it must be accessible to prompt dialogue among those involved in the claims process. Although a model may capture reams of structured and unstructured data, these intricate data sets must be distilled into a comprehensible collection of usable information.
To simplify client understanding, ACE 4D produces a model score illustrating the relative severity of a claim, a percentage chance of a claim breaching a certain financial threshold or retention level depending on the model and program. The tool then documents the top factors feeding into these scores.
5) Balancing action with metrics
The capacity to mine, process, and analyze both structured and unstructured data together enhances the predictability of a model. But, there is risk in not carefully weighing the value and import of each type of data. Overdependence on text, for instance, or undervaluing such structured information as the type of injury or the claimant’s age, can result in inferior deductions.
A major modeling pitfall is measurement as an afterthought. Frequently this is caused by a rush to implement the model, which results in a failure to record relevant data concerning the actions that were taken over time to affect outcomes.
For modeling to be effective, actions must be translated into metrics and then monitored to ensure their consistent application. Prior to implementing the model, insurers need to establish clear processes and metrics as part of planning. Otherwise, they are flying blind, hoping their deliberate actions achieve the desired outcomes.
6) The bottom line
While the science of data analytics continues to improve, predictive modeling is not a replacement for experience. Seasoned claims professionals and risk managers will always be relied upon to evaluate the mathematical conclusions produced by the models, and base their actions on this guidance and their seasoned knowledge.
The reason is – like people – predictive models cannot know everything. There will always be nuances, subtle shifts in direction, or data that has not been captured in the model requiring careful consideration and judgment. People must take the science of predictive data analytics and apply their intellect and imagination to make more informed decisions.
Please download the whitepaper, “ACE 4D: Power of Predictive Analytics” to learn more about how predictive analytics can help you reduce costs and increase efficiencies.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with ACE Group. The editorial staff of Risk & Insurance had no role in its preparation.