Project Progress The assignments depend on one another. During the project life cycle, project risk reviews and reports are required, as previously identif

Project Progress The assignments depend on one another. During the project life cycle, project risk reviews and reports are required, as previously identified in the risk management plan. Two months after the project started, the following events have taken place:

The top two threats have occurred.
The top opportunity has been realized.
The project’s risk budget is already exhausted.
The risk management schedule has been shortened by two months.

Write a 4–6 page paper in which you:

Analyze the impact of the events on the project.
Determine if any mitigation activities are required, and explain why.
Determine if budget or schedule changes are necessary, and explain why.
Update the risk register and highlight the changes made. Provide the justification for the changes.
Use at least four quality resources in this assignment. 

Assess the impact of events on the project’s progress in order to determine an appropriate risk response plan. www.hbrreprints.org

A N D

C

O M M E N T A R Y

H B R C

A S E

S

T U D Y

Boss, I Think Someone
Stole Our Customer
Data

by Eric McNulty

How should the
Flayton Electronics
team respond to the
crisis?

Four commentators offer
exper t advice.

Reprint R0709A

H B R C

A S E

S

T U D Y

Boss, I Think Someone
Stole Our Customer
Data

by Eric McNulty

harvard business review • september 2007 page 1

HBR’s cases, which are fictional, present common managerial dilemmas
and offer concrete solutions from experts.

C
O

P
Y

R
IG

H
T

©
2

0
0
7
H

A
R

V
A

R
D

B
U

S
IN

E
S

S
S

C
H

O
O

L
P

U
B

L
IS

H
IN

G
C

O
R

P
O

R
A

T
IO

N
. A

L
L

R
IG

H
T

S
R

E
S

E
R

V
E

D
.

Flayton Electronics learns that the security of its customer data has

been compromised—and faces tough decisions about what to do next.

Brett Flayton, CEO of Flayton Electronics,
stared intently at a troubling memo on his desk
from the firm’s head of security. Running his
hands through his full head of barely graying
hair, he looked not unlike his father did when
he established the first Flayton Cameras and
Stereos 25 years ago.

The security situation had come to Brett’s at-
tention just before nine o’clock the previous
evening. On his way home from a vendor meet-
ing, he had been settling into an armchair
in the airline lounge. He had barely opened
Electronics News when his mobile phone rang.
It was Laurie Benson, vice president for loss
prevention.

“Brett, we have a problem. There might be a
data breach.” Laurie, a tough but polished
former Chicago police detective, had been re-
sponsible for security at Flayton’s for almost
three years. She had an impressive record of
reducing store thefts while building produc-

tive relationships with local schools, commu-
nity groups, and law enforcement.

“What kind of data breach?” Brett asked.
His tone was calm, as always, yet he scanned
the lounge to make sure that no one could
overhear.

“I’m still not sure,” Laurie admitted. “I was
contacted by Union Century Bank. They regu-
larly examine their fraudulent accounts for
patterns, and we’ve shown up as a common
point of purchase for an above-average num-
ber of bad cards. They’re getting me more in-
formation, but I thought you’d want to know
right away. It could be nothing—or it could
be significant.”

Brett recalled the newspaper stories he had
read about stolen laptops with veterans’ records
stored on them and about hackers trying to
penetrate eBay and other big online retailers.
His firm was just a regional chain with 32 stores
in six states and a modest online presence. Flay-

Boss, I Think Someone Stole Our Customer Data

HBR C

ASE

S

TUDY

harvard business review • september 2007 page 2

ton’s could hardly be a target for stealing lots
of customer data. Or could it?

“Laurie, I’m not sure I understand. People
were using stolen credit cards at our stores?
Our clerks weren’t checking cards correctly?”

“No,” she replied earnestly. “It looks like we
might be the leak.”

New Territory

Back in his office the next morning, Brett sur-
veyed the fruits of his own overnight Internet
research. Data theft was apparently common,
and companies could be breached in various
ways. The thieves stole credit card informa-
tion, social security numbers, bank account in-
formation, and even e-mail addresses. There
seemed to be a black market for almost any
kind of data. He learned that the criminals
were becoming increasingly clever and that no
one was immune. He took some comfort in his
company’s having recently spent considerable
time and money becoming compliant with
new payment card industry, or PCI, standards
for data protection.

Laurie sat across from Brett in silence. She
had anticipated this kind of theft would hap-
pen sometime, but actually coping with it
was new territory for her. All of her related
professional experience had involved the
stealing of physical property. In this case,
data had been obtained illegally by someone,
somewhere—but with no clear-cut crime
scene to sweep for clues.

A routine analysis by Union Century Bank
of fraudulent credit card charges identified
purchases at Flayton’s on almost 15% of the
cards in this particular batch of about 10,000
compromised accounts—so roughly 1,500 in
all. It was a surprisingly high number for a
routine check. Union Century had begun to
notify other banks, as well as Visa and Mas-
terCard, to see whether they had observed
similar patterns.

“Wouldn’t we have noticed that our-
selves?” Brett asked. “We get regular reports
from the banks.”

“Not necessarily,” Laurie replied. “We
would have, if the purchases at Flayton’s had
been fraudulent. But that’s not what seems to
have happened. The purchases were legiti-
mate, but the account information is being
used elsewhere illegitimately. We could not
have identified the problem, except through a
random check like the one Union Century

did. The 1,500 accounts could be just the tip
of the iceberg.”

“What’s our potential exposure?” Brett in-
quired matter-of-factly. Quietly he wondered
whether the firm’s PCI compliance would
provide sufficient protection.

“Not sure, I’m afraid. The credit card holders
are protected by the bank, but what that
means for us is tough to say.”

“Why do we have to notify customers at
all?” Brett asked, genuinely puzzled. “Haven’t
the banks already informed them that their
accounts have been compromised?”

“It’s not that simple,” Laurie explained.
“Some banks have sophisticated analysis tools
to detect unusual patterns early on, but that
method is imprecise. Often banks don’t begin
to recognize a problem until a bill goes unpaid
or a credit card holder complains. They usually
just monitor a situation until specific problems
arise. If cardholders don’t pay close attention
to their bills, fraudulent debt could accumulate
for months before it’s caught. As I understand
from the bank, alerting our customers that
their data might have been stolen could be the
best means of early detection.”

Laurie had brought herself up to speed
pretty quickly and had spent the early morning
hours briefing key managers and flagging pos-
sible areas of vulnerability in the data chain.
The chain itself was simple, but identifying its
weakest points was not. At the cash register, a
customer presented a payment card, which
was swiped through a reader. The information
from the card and the specifics of the purchase
were transmitted to a bank for approval or re-
jection. It all happened in seconds. Transaction
information was stored on company comput-
ers and showed up in a number of reports.
Credit card numbers shouldn’t have been
stored in the firm’s system, but Laurie still
didn’t grasp every step of the process. Could
the card readers have been hacked? Could the
data lines between the stores and the bank
have been tapped? Were the stored data se-
cure? Might someone have inserted code into
the company’s software to divert certain infor-
mation to a remote computer—or even a com-
puter on the premises? Could it have been an
inside job? Or perhaps the work of someone
who had been fired?

“Any chance that this could just be someone’s
careless mistake?” Brett volunteered. “Maybe
an employee tossed files into the dumpster.”

Eric McNulty

(emcnulty@hbsp
.harvard.edu) is the managing direc-
tor of the conferences division of
Harvard Business School Publishing,
which publishes HBR, in Boston. His
weekly online column, “Heard in the
Suite,” appears on Thursdays at
www.harvardbusinessonline.org.

Boss, I Think Someone Stole Our Customer Data

HBR C

ASE

S

TUDY

harvard business review • september 2007 page 3

“Well,” Laurie shrugged, “it’s possible.” She
paused, then shook her head. “But not likely.”

“What about some kind of coincidence?”
Brett was grasping at straws. “Perhaps 1,500 of
our customers just had the same bad luck?”

Laurie inhaled deeply, then exhaled slowly.
“Anything’s possible at this point. I need to
know more than I do now. The bank con-
nected me with the Secret Service, which is
handling the investigation because accounts
in multiple states were affected. It will take a
couple of days to have other banks try to cor-
roborate Union Century’s findings. For now,
the Secret Service recommends that we run
background checks on everyone who could
possibly have access to data on the scale of
the breach—even people we’ve run checks
on before. We should also pull personnel files
on anybody we’ve let go in the past year
for cause. And we need to check, check, and
triple-check every system in the house.”

“I’m sure that Sergei already has that in the
works,” Brett replied. He knew that kind of
thing would drive Sergei Klein, the CIO, nuts
until he figured it out. Brett rose and paced
around the perimeter of his office. He paused
at the window to survey the more than 300
cars in the parking lot. He felt some responsi-
bility toward every person with a vehicle in
that lot and toward the hundreds more who
worked in the stores.

“What else did the Secret Service say to do?”
Brett had visions of black SUVs with tinted
windows, full of earnest agents in wraparound
sunglasses, descending on his headquarters
and stores.

“First,” Laurie explained, “they asked that
we keep this under wraps until we get a full
picture. Now that the banks know what’s
going on, they can shut off the cards quickly
when fraud surfaces. But the feds want
enough normal activity to allow them to do a
proper investigation and, we all hope, initiate
prosecution. Although the Secret Service is
taking the lead, they expect to also involve
some state and local fraud units.

“But what about the customers? We can’t
knowingly let them be defrauded!” Brett was
uncharacteristically adamant. “This business
was built on trust. Our reputation for a square
deal is a competitive advantage. I don’t ever
want to have to look a customer in the eye and
defend not being straight with him.”

“It’s a question of the greater good,” Laurie

offered. “The customers will not be responsible
for the charges. They’re fully covered. We have
to nail the bastards who did this.”

Limited Defenses

Brett couldn’t bear to just wait for answers. He
quickly ushered Laurie out of his office, can-
celed his next meeting, and made his way past
a dozen gray cubicles toward Sergei’s haunt.
Listening to the sounds of fingers clicking on
keyboards and file drawers opening and clos-
ing, he couldn’t help but marvel at how much
information was available to anyone in those
cubicles at any time.

As Brett arrived at Sergei’s door, the CIO
was slamming down his phone in frustration.
Brett’s attention shifted from the receiver
directly to Sergei’s eyes. Sergei swallowed.

“Sergei, what do we know?”
“We’re still trying to determine what hap-

pened,” the CIO offered meekly.
“But we are sure that our PCI systems were

working, right?” Brett pushed.
“Becoming PCI compliant is complicated,”

Sergei hedged, “especially when you’re con-
stantly improving your own technology.” He
ran through a laundry list of the complexities
of recent improvements. At any given mo-
ment, Sergei had three or four high-priority
tech projects in various stages of implementa-
tion. It was a constant juggling act.

Brett, in a rare display of anger, pounded his
fist on Sergei’s desk. “Are you saying, Sergei,
that we’re not actually PCI compliant?”

Sergei stiffened. “We meet about 75% or so
of the PCI requirements. That’s better than av-
erage for retailers of our size.” The response
was defensive but honest.

“How have we been able to get away
with that?” Brett growled. He knew that PCI
compliance, which was mandated by all the
major credit card companies, required regular
scans by an outside auditor to ensure that a
company’s systems were working—with stiff
penalties for failure.

“They don’t scan us every day,” Sergei de-
murred. “Compliance really is up to us, to me,
in the end.”

Core Values at Risk

The wall across from Brett’s office was cov-
ered with hundreds of photographs taken
with cameras bought at Flayton’s. Weddings,
vacations, graduations, sunsets, and smiling

“This business was built

on trust. Our reputation

for a square deal is a

competitive advantage. I

don’t ever want to have

to look a customer in the

eye and defend not being

straight with him.”

Boss, I Think Someone Stole Our Customer Data

HBR C

ASE

S

TUDY

harvard business review • september 2007 page 4

infants—all sent in by customers. Similar dis-
plays brightened the walls of every Flayton
Electronics store, to remind employees that
customers are not just wallets who buy your
products. One of the pictures closest to
Brett’s doorway was of his father handing
over a poster-size check to a local charity.

As Brett contemplated the photos, he won-
dered whether he had pushed growth too
quickly. After his dad retired, Brett ramped up
his ambitions. He had sought private equity
investment a few years ago, and he was con-
stantly aware of his obligation to deliver the
returns he’d promised. His strategy had been
aggressive, but he was confident in it—until
now. Had he been shortsighted about the in-
frastructure needed to run a much larger
company? Had his company’s needs out-
grown the capabilities of his longtime staff ?
Had he left Flayton’s vulnerable by underin-
vesting in systems? Had he pushed for too
much, too fast?

Into the Breach

By day’s end, Brett had assembled the top
management team to review the crisis plan.
Things seemed even more grim than they had
in the morning.

Laurie informed the team that, with new
information from additional banks, the num-
ber of accounts known to be compromised
was increasing. The total was still not clear
but certainly far more than the initial 1,500.

Sergei reported finding a hole—a disabled
firewall that was supposed to be part of
the wireless inventory-control system, which
used real-time data from each transaction to
trigger replenishment from the distribution
center and automate reorders from suppli-
ers. The system helped keep inventories low,
shelves full, and costs and lost sales to a
minimum. With the firewall disabled, how-
ever, supposedly internal company data were
essentially being broadcast.

“All you’d need is the right equipment and
the wrong motives,” Sergei admitted. “But
you’d have to be somewhere relatively close to
the store because the broadcast range is lim-
ited.” He paused to survey the expressions of
his colleagues, ending with Brett. “We can get
the firewall back up as soon as the cops give us
the go-ahead.” He knew his job was on the line.

“How did the firewall get down in the first
place?” Laurie snapped.

“Impossible to say,” said Sergei resolutely. “It
could have been deliberate or accidental. The
system is relatively new, so we’ve had things
turned off and on at various times as we’ve
worked out the bugs. It was crashing a lot for a
while. Firewalls can often be problematic.”

Brett looked at the human resources direc-
tor, Ben Friedman, who had several person-
nel folders in front of him. “We’ve had five
departures of people who were involved
with that system in some way,” Ben said,
thumbing through the files one by one. “Two
resignations, one to return to grad school,
one termination for a failed drug test, and
one termination for downloading inappro-
priate material using company computers.”
He placed the folders on the table, paused,
and slid the two for the terminated employ-
ees over to Brett.

“Well,” Brett sighed, “that gives us a couple
of possible suspects.” He turned to the commu-
nications director, Sally O’Connor. Earlier that
day, she had handed Brett a memo outlining
three communications options, which Brett
had been contemplating ever since. Holding
a press conference would get Flayton’s out in
front of the story—and it would, Brett
thought, be the most forthright approach.
He was troubled by Sally’s second option—
informing customers, by letter, that there had
been a breach and that the situation was being
addressed. He felt it might generate more cus-
tomer anxiety than reassurance and could
make Flayton’s appear to be hiding something.
The final option—do nothing until law en-
forcement was ready to go public—was the
easiest in the short term because it put the
decision in other hands.

Darrell Huntington, longtime outside
counsel for Flayton’s who had been briefed
late the previous night, rose from his seat.
“Let me say a couple of things. First, we still
have no definitive proof here. All the evi-
dence is circumstantial. And from my review
of past cases, it’s clear that whoever goes
public first is the entity that gets sued.”

“Who would be most likely to bring the
suit?” asked CFO Frank Ardito. “No customer
will suffer financial damage, right? The banks
protect them.”

“We could be sued on any number of
grounds I won’t go into here,” said Darrell,
“but other breaches have brought lawsuits
from customers, banks, and even investors.

Boss, I Think Someone Stole Our Customer Data

HBR C

ASE

S

TUDY

harvard business review • september 2007 page 5

Whether you win or lose, it costs you—and
there’s bound to be a lot of media coverage.”

“Aren’t we required to disclose this to our
customers immediately?” Frank inquired.

“Three of the states in which you operate re-
quire immediate disclosure, and the other
three do not,” Darrell noted. “But from what I
understand, you don’t know what role, if any,
Flayton’s has in this possible crime. A bank has
identified a pattern. There seems to be a corre-
lation between cards with fraudulent activity
and cards used to make purchases at Flayton’s.
That could be a coincidence. At this time, we
have no actual evidence of a data breach at
Flayton’s. None.”

“What are we supposed to do?” Brett pressed.
“Doing nothing is not an option. Not for me.”

“That is exactly what you should do,” Dar-
rell asserted. He turned to Sally. “Your com-
munication strategy should be not to talk to
anyone. If you do get a call from the media,
simply confirm that Flayton’s has been contacted
by law enforcement authorities regarding an
investigation about which you have been
given no information and with which you are
cooperating fully. Refer them to the Secret
Service. They don’t tell anybody anything.”

“That may work for now,” Brett acknowl-
edged, “but, Sally, I want you to anticipate the
next steps. However we communicate eventu-
ally, I want to offer straight talk, not spin.”
Darrell sat down.

Brett knew there were no easy answers. His
online search last night had turned up a recent
survey documenting that customers are reluc-
tant to shop in stores known to have data
breaches. Darrell was arguing that Flayton’s
could be vulnerable simply by trying to do the
right thing and getting the news out quickly.
Yet, the company’s future depended on its rep-

utation for fairness—one painstakingly earned
over decades by Brett’s father.

“Well, the decision may soon be out of our
hands,” said Sally. “I was reviewing the affected
accounts, and one very interesting name
cropped up: Dave Stevens, evening news an-
chor at KCDK-TV. Apparently, we installed a
home theater for him.” She turned to Brett.
“Stories like this always leak somehow.”

Brett shifted his jaw, pushed back his chair,
and stood. “So if I understand this correctly,
we have circumstantial but strong evidence
that a breach has occurred, we have two
former employees who might or might not be
involved, some states that require we disclose,
feds who want us to shut up, and a television
personality among the victims. If we disclose,
we’ll probably get sued; if we don’t, the story
will eventually leak. The feds may get the per-
petrators if we give them time, but there’s no
guarantee. No matter what, our reputation is
on the line, and competitors will start run-
ning promotional specials to lure customers
away first chance they get. And I am wonder-
ing if I can ever look a customer squarely in
the eye again. Did I miss anything?”

Brett leaned forward and put both hands
firmly on the table. His eyes met those of each
member of his team. He knew—and trusted—
them all. “The one thing I’m sure of is this: The
Flayton name means something to me, to our
employees, and to our customers. We’re going
to decide what to do. Today.”

How should the Flayton Electronics team

respond to the crisis?

• Four commentators

Case CommentarySee

offer expert advice.

page 6 harvard business review • september 2007

Boss, I Think Someone Stole Our Customer Data •

HBR C

ASE

S

TUDY

Case Commentar y

by James E. Lee

How should the Flayton Electronics team respond to the crisis?

How you react to news of a security breach at
your company is, as a practical matter, much
more important than what actually hap-
pened. Whether your business can survive the
episode will depend on the corrective action
you take and how you communicate about it
to the various stakeholders. My firm’s experi-
ence offers an excellent illustration.

ChoicePoint provides decision-making in-
sight to businesses and government through
the identification, retrieval, storage, analysis,
and delivery of data about individuals and
institutions. In 2005 our company was the vic-
tim of a fraud scheme in which criminals
posed as customers to obtain the personal in-
formation of 145,000 people from our data sys-
tems. No technology breach occurred, but the
media characterized the incident as if one had.
We discovered the nefarious activities our-
selves and reported them to the Los Angeles
County Sheriff’s Department, with whom we
set up a sting operation that eventually led to
the prosecution of a Nigerian crime ring.

We agonized over choosing the right strat-
egy for alerting consumers whose data may
have been obtained fraudulently from
ChoicePoint. In the end, we notified everyone
believed to be at risk, regardless of their state
of residence. We updated employees daily,
and we had frequent conference calls with
managers and officers. Our CEO and other
senior executives visited key customers and
investors to share the many new policies and
procedures we were adopting to prevent a
recurrence. All of these stakeholders were, we
recognized, pivotal to our survival.

Some of our preventive steps were radical,
including abandoning a line of business worth
$20 million because of its potential to risk a fu-
ture data breach. Changes in culture often
were required. For example, every employee
must now pass yearly privacy and security
training courses as a condition of employment.

At ChoicePoint, we learned quickly that in
situations like these, many factors are beyond
your control. The media can be a huge distrac-
tion. But it’s much worse than that. You face

inquiries from many quarters, in our case from
multiple state attorneys general, the Federal
Trade Commission, and the U.S. Congress. You
might be sued by banks; by others involved in
the credit card transaction chain, such as pro-
cessing companies and consumers; by share-
holders; and even by employees and retirees.

For Flayton Electronics, moving swiftly in
the face of crisis will be essential. Timing is a
crucial factor in the inevitable lawsuits, which
focus on what executives knew and how long
they knew it before going public. Beyond fix-
ing the firm’s weaknesses in data security, CEO
Brett Flayton must develop a brand-restoration
strategy. The company should, as ChoicePoint
did, notify the affected customers rapidly, set
up toll-free information hotlines, and offer
credit-monitoring services. Then they must ex-
ceed these basics with a broad range of extras
to keep customers loyal: Offer discounts and
sales, meet with critics of the company, and de-
velop and promote new web pages that out-
line reforms in the firm’s policies and practices.

Communiqués will also need to evolve to
demonstrate responsiveness to developments,
or else risk that the words of company execu-
tives will be perceived as just corporate lip
service. Tone is very important. Public state-
ments must be not only accurate, but sincere,
contrite, and honest.

Flayton’s will also have to address the influ-
ence of blogs, viral videos, and other social
media. Such user-generated content, unfil-
tered by traditional journalists and accessible
by anyone using an online search engine, is
often a mode of recruiting lawsuit plaintiffs
and airing personal grievances.

Finally, Brett and his team will need pa-
tience in spades. The problem will not go
away when the headlines do. Mitigating the
effects on brand and reputation will take, I
estimate, three to five years. Flayton’s has a
long road ahead.

James E. Lee

(james.lee@choicepoint.com) is the se-
nior vice president and chief public and consumer af-
fairs officer at ChoicePoint, based in Alpharetta, Georgia.

Beyond fixing the firm’s

weaknesses in data

security, the CEO must

develop a brand-

restoration strategy.

harvard business review • september 2007 page 7

Boss, I Think Someone Stole Our Customer Data •

HBR C

ASE

S

TUDY

Case Commentar y

by Bill Boni

How should the Flayton Electronics team respond to the crisis?

Most senior executives have the insight and
the measurement tools to assess potential
damage from tangible disasters such as floods
and fires. That’s not often the case when it
comes to information security, including pre-
vention of and planning for data theft. “Let the
technical staff handle that” tends to be the de-
fault strategy, with responsibility relegated to
nonsenior IT or corporate-security manage-
ment. Businesses that are serious about pro-
tecting their data and preserving the data’s
value should have a high-level official, such as
a director or a vice president of information
protection, who serves not merely as a man-
ager but as a senior champion in this area.

Seven years ago, I was appointed Motor-
ola’s first-ever corporate information security
officer. As a data-protection leader, I am re-
sponsible for the firm’s information and IT
environment globally and for having a com-
prehensive strategy for risk management.
One useful strategy component is to require
every new initiative to identify, in the initial
idea phase, the data that might be involved—
and their value. This mandate builds appro-
priate safeguards right into the projects
themselves. Also beneficial are policies, proce-
dures, and training protocols that are custom-
ized for each company function, to reduce
the likelihood that individuals will make
wrong choices because they do not under-
stand how the overall data standards apply to
their specific roles.

Being fully PCI compliant is, of course, a
vital first line of defense against data theft, and
my best guess is that a third of companies
meet that standard. However, increasingly
capable cyber adversaries do not give up
and offer their congratulations because you
did what you were supposed to do. During
my tenure in information security, hobbyist
hacking has evolved to become a much more
sophisticated, parasitic extraction of valuable
data from targeted organizations. One com-
mon fallacy is that silver bullet technology can
save the day. I’ve seen organizations spend
hundreds of millions of dollars on security
safeguards that were penetrated by a knowl-
edgeable person with a handheld device. For
example, Motorola proved to one of its cus-

tomers, who had invested heavily in some of
the best protection technology available, that
we could access their core business systems
using just a smartphone and the Internet.

To prevent and cope with data breaches,
you need …

Submit a Comment

Open chat