Boss I think someone stole our customers Flayton Electronics Case Study

Brett Flayton, CEO of Flayton Electronics, is facing the most critical crisis of his career when it is discovered that 1,500 of 10,000 transactions have been compromised through an unprotected wireless link in the real-time inventory management system. Brett has to evaluate his obligation to let customers know of the massive leak of private data, define a communication strategy that would notify customers across all states of the potential security breach, and also evaluate the extent to which the Flayton Electronics' brand has been damaged in the security breach. In addition, steps that the company can take in the future to avert such a massive loss of customer data also needs to be defined and implemented.

Assessing the Obligations to Customers vs. Keeping It Quiet

Ethically, Brett Flayton has a responsibility to tell the customers immediately of the security breach (Sanderson, 2011). How he chooses to sequence the communicating of the breach to customers has clear implications on the ongoing investigation by the security service. It will also have a major impact on the ability to completely solve the firewall situation, determine if it was negligence or if in fact the company was hacked, and whether those responsible have greater control than the senior management team at Flayton Electronics realize.

In all data breaches there are major impacts on profitability and long-term viability of a business (Gatzlaff, McCullough, 2010). The costs associated with a data breach, both directly and indirectly, can cripple a business. Worse still, not responding at all and being seen as trying to cover it up can virtually assure a business will not be trusted anymore. Brett, the CEO, must decide if this risk is worth taking or not, and whether disclosing the information to customer's would lead to the investigation being compromised. The also has to consider how pervasive the potential link is as well.

Based on these considerations and the potential that customer's...

Before making the statement however he needs to contact Experian, Transunion and Equifax, the three top credit reporting agencies, and tell them the credit cards numbers that have been breached. He also needs to pay for lifetime monitoring for all credit cards and identities of those affected, offering it to the victims of the theft at no charge if they choose to enroll. He needs to move beyond just protecting his company to actively protecting his customers too, no matter what the cost.
Proposed Communications Strategy

Brett needs to push his CIO to complete a thorough audit in less than 24 hours and lock down the entire IT complex of systems immediately to make sure there are no additional threats. This is a vital first step to ensuring that any and all promises made during the communications plan will be capable of being kept. When dealing with data security threats and the communications plan to inform the public and customers, it's critical that the catalyst of the communication strategy be based on actions already taken and verified as effective, which underscores responsiveness and urgency (Kelly, 2005). The senior management team at Flayton also needs to define the future data protection strategy, showing that they are entirely focused on deterring any activity like this in the future (Sanderson, 2011). In short there must be a very concerted, enterprise-wide security strategy defined and a strong platform of deterrence also described so the communications plan resonates with credibility.

Starting with an emergency security plan completed and deterrence in place, even if it meant working 24/7 until done, then the communications plan would be ready to go. The first phase of the communication plan would be personalized letters to the 1,500 people known to have had their credit cards compromised. In the letter would be the numbers of Experian, Equifax and Transunion, and an offer of lifetime credit monitoring and identity protection with all for free…