Does the CEO’s Message Express Appropriate Levels of Regret, Reform, Restitution, Reaffirmation and Recovery?
8/27/21 – – If you’re a T-Mobile customer, you’ve probably read today’s email from the company’s CEO Mike Sievert apologizing for the cyberattack revealed earlier this month that compromised the private information of 50 million people – including yours. Chances are good that your social security number, driver’s license information, date of birth, address and phone number (just about everything other than blood type) are for sale online to the highest bidder.
As data breaches go, this one’s a doozy. Lots of victims, loads of highly private information and a cocky 21-year-old hacker who gave an interview to The Wall Street Journal taking credit for the crime (he was the one who first alerted T-Mobile to the heist) and chastising the company for its lack of cyber security. Two class-action lawsuits have already been filed in California and Washington State.
Sievert’s message, titled “The Cyberattack Against T‑Mobile and Our Customers: What happened, and what we are doing about it,” is worth analyzing from a crisis response perspective. Hopefully you or your company will never have to write such an apology, but cyberattacks are getting to be so common, it’s worth going to school on T-Mobile’s response.
In Chapter 12 of The Crisis Preparedness Quotient we focus on the “five Rs” of crisis response: Regret, Reform, Restitution, Reaffirmation and Recovery. When you’ve screwed up, it’s worth trying to get as many of these elements into the content of a “sorry about that” message. “We’re sorry this happened . . . we understand what happened and have made important fixes to make sure it never happens again . . . we’re going to compensate you for the trouble we’ve caused you . . . we’d like to reiterate the priorities and purpose that drive us . . . and we’re in the clear, back in business to serve you better than ever.”
Getting all five into your message is aspirational – it’s not always possible, for example, to issue an “all clear” or, in the case of a data breach, outline all of the reforms you’ll be making to strengthen your firewall. But the “five Rs” provide a useful template to achieve your goals of calming and keeping your customers.
Take a moment and read Sievert’s letter with the “five Rs” in mind. I don’t want to prejudice your review. But start by finding the expressed Regret. (Hint: You won’t find it in the first two paragraphs.) See if you think the Reforms are comprehensive enough to win back your trust. Does the generosity of the offered Restitution match the potential damage that’s been done to customers’ privacy? Do you come away comforted by the principles and commitments T-Mobile Reaffirms? Are you convinced that security has been Recovered and business will get back to normal?
What you shouldn’t include in this type of communication is a lengthy defense of your shortcomings. A “hey, it’s happening to everyone” appeal compromises the effectiveness of the “five Rs.” Is there too much of that in Sievert’s letter?
See what you think.