Marketing 101: The Mea Maxima Culpa Rule

A sideways rumination on data privacy breaches.

By Mary Ludloff

If you’ve been following our series on data privacy over the last couple of weeks you, like me, may have found yourself surprised appalled by the way in which companies have publicly handled privacy breaches. 

As you may or may not know, I am in marketing and have been “in” marketing for a number of decades (it’s not polite to ask just how many years this represents, but in the interest of transparency it’s more than 20 and less than 30). Over those decades, much in marketing has changed. However, I would argue that the marketing fundamentals have not, one of which is what I like to call the Mea Maxima Culpa Rule.

Here’s how the rule works. A company has done something wrong, purposefully or not. What the company does next will define it pretty much forever. Does it come clean? Acknowledge the mistake, make reparations, and explain how it will do better in the future? Or does it obfuscate in the hopes that it will not get “caught” and the transgression will remain private?

Now, let’s not discuss the ethics behind the transgression or get caught up in a discussion of what’s morally questionable versus downright reprehensible. Cynic that I am, I have found that most “wrongs” are usually the result of unintended consequences and less the result of purposeful malfeasance. My counsel whenever this happens is always the same: publicly and sincerely admit your mistake, talk about the changes you have made internally to prevent this from ever happening again, and follow through. In PR lingo this is often called staying ahead of the story. I don’t like to call it this because (to me) it’s not a story; it’s a defining moment for a company.

Consider Gawker and Lush as two prime examples of how not to handle a “mistake.” For Gawker, it was delaying the report of a breach of privacy regarding commenting accounts. For Lush, it was delaying admitting that their site was hacked resulting in stolen credit card details. Now it does not take a rocket scientist to figure out why both companies “delayed” because both breaches reveal what can only be characterized as bonehead stupidity when it comes to keeping data secure:

• Gawker’s founder reported that his account appeared to be hacked and requested someone look into it, but never changed his login and password, and never followed through. A string of events that happened after that illustrate both arrogance on the part of the Gawker team and lax data security policies.
• Lush’s transgression stemmed from holding customers’ financial data in an unsecure environment (making it a great target for a data breach) and then treating the fallout in a humorous way on their website. As any person who has had their credit card information stolen can tell you: it is never funny.

Had either company engaged in the data security measures that most companies, like PatternBuilders, consider a baseline for data protection, they would not have had these breaches. (For more on how companies should conduct themselves when it comes to the privacy of data, please see the previous post.) Gawker and Lush then compounded their problems by not reporting the breaches in a timely manner.

What’s at stake for these companies and others that engage in this type of behavior? Whether we are talking B2B or B2C, the answer is the same: it’s a breach of trust that may not be recoverable. In the B2C world, switching costs are low so you lose customers and sales. In the B2B world where switching costs may be much higher, you may not lose the customer right away but I guarantee that if a disruptive technology comes along that renders your solution obsolete, you are out the door as well.

Can you turn this around?  Yes, but you need to apply the Mea Maxima Culpa Rule and as I like to say, “Fall on your sword in a big way.”

An example for you: ASK Computer Systems. In its prime, ASK was a leading provider of ERP software and had a rabidly loyal customer base. That loyalty was put to the test when ASK released a bug-ridden software update. Customers who upgraded pretty much went nuclear—their ERP systems no longer worked causing all kind of unintended consequences, none of which were good. What did ASK do next? The executives got together split the customer list and personally phoned each customer to apologize for the release, they then sent a letter to each of them laying out what they were going to do to “fix” this, and then updated them on a weekly basis on how they were doing. Significant changes were made to the development and beta processes and customers were informed of these changes as they happened. The next release was the smoothest in the company’s history. And, needless to say, the customer base remained rabidly loyal.

Here are my final thoughts on the subject: you cannot hide from the truth. The best way to handle those bonehead stupid moments—whether they are data breaches, poor quality software releases, or fill-in-the-blank—is to be professional enough to avoid them in the first place.  Failing that, you need to admit them, fix them, and then, lead by example. You cannot put a price on trust and once it’s lost, you may not be able to get it back.