After the breach

Russell Walker ’06 weighs in on how companies can recover
from online data invasions

Russell Walker ’06

With a growing number of companies, including Target and eBay, suffering massive online data breaches, Professor Russell Walker says businesses must resist the temptation to sweep security deficiencies under the rug if they want shoppers to trust them.

Many companies are reluctant to readily disclose internal invasions that reveal consumers’ personal details. For example, the technology firm

If you’ve been a
company that’s
experienced this,
be open and
transparent. That’s
the way to recover.
Because there will
be other events.

Snapchat, whose app lets users take and share photos and videos, was hacked last December, exposing 4.6 million user names and phone numbers. Company officials drew criticism after they waited for days before speaking publicly about the breach.

But such incidents "are a natural place for companies to have a conversation with the customer about their commitment to their customers,"said Walker, a clinical associate professor of managerial economics and decision sciences. "If you’ve been a company that’s experienced this, be open and transparent. That’s the way to recover. Because there will be other events.”

Despite a short-term drop in profits, companies ultimately can recover from such incidents, Walker said. But in the Target case, he expects it will take "quite a while"because of the enormity of the theft. That breach, in late 2013, is believed to have compromised the personal data of as many as 70 million people.

Target has taken steps such as apologizing to customers and offering them a year of free credit monitoring, but Walker contends that more can be done. "If I were Target,"he said, "I’d want to use this as an opportunity to create a new relationship with the customer. Roll out a new coupon, do a security upgrade and get confirmation of it."

In his 2013 book Winning with Risk Management, Walker examines risk management through business case studies. One such study involves the 2007 breach at TJX Co., the parent company of T.J. Maxx and other retailers, in which as many as 94 million Visa and MasterCard accounts were exposed to fraud.

He noted that the TJX data theft shared similarities with Target’s. With TJX, "There was an active decision not to upgrade a particular piece of security and it was deemed highly improbable there would be an attack resulting in damages,"he said. "I believe that a similar decision was taken by Target … It suggests a big part of doing business and handling credit cards – just handling customers – has to be an investment.”

Members of Congress have discussed setting a national standard for corporate data-breach notifications, and Walker says the day may arrive when a digital consumer bill of rights becomes necessary. But in teaching about data theft at Kellogg, he says recent incidents haven’t unified his students’ concerns about privacy.

"There’s a strong separation between those who see disclosure and sharing as harmful and those who don’t,"he said. "It may be our more tech-savvy customers don’t see disclosure as challenging as previous generations did.”

Learn more about Walker’s
research at