Crisis management 101:
Make a mistake? Fess up. Right away. Don’t wait for followers, supporters, the press and social media to pile on.
I know it’s hard to admit you screwed up but we’re all human and these things happen. In fact, by apologizing, admitting your mistake and promising to do better in the future, you INCREASE your authenticity rating with your followers.
They’re humans too and they make mistakes all the time.
Zoom Outage- Getting It Right
Let’s look at two recent examples of customer service emails which include apologies- how to apologize and how not to do it.
Let’s start with Zoom. You know, the platform where you have business meetings in the same sweatpants you’ve been wearing since March.
On August 24th Zoom experienced what they termed a “service disruption,” what the rest of us called an outage. For thousands of users around the globe, Zoom simply didn’t work. That meant thousands of meetings had to be cancelled (yay!) and thousands of children attending their first day of online school classes missed class (boo!).
All Zoom subscribers received an email later that day from Zoom. Let’s break it down:
“Dear Valued Zoom Customer”
This should be personalized! They have my name (I’m a paying subscriber) so address it to me. You can tell me that I’m valued in the opening sentence of the email.
Lesson: If you have the person’s name, use it in your correspondence.
“As you may know, at 4:56 am PDT today, August 24, Zoom experienced a partial disruption of our Meeting, Webinar, and website services. We largely restored service by 8:26 am PDT. We have determined that the cause of this service disruption was related to an application-level bug in our system, which resulted in a web login issue for customers.”
They immediately admit what happened. They tell you in broad terms what the issue was (a bug) rather than diving into the details, which most of their subscribers would not have understood. A bug in the system? That we can grasp. Beyond that? Most of us aren’t engineers.
Lesson: Speak the language of your readers!
“We always take very seriously our responsibility to keep you connected and we know that you are relying on us during this particularly challenging time. We deeply regret this incident and sincerely apologize. I’m personally disappointed that we have let you down and I am sorry for any inconvenience this may have caused.”
They know the importance of their mission to their customers (keep people connected) and they feel your pain (particularly challenging time). Their apology is from the person sending the email to me. One to one.
Lesson: Make sure your apology is sincere and personalized. They’re sorry for the inconvenience and although it may have disrupted our morning, we can accept their apology.
One nitpicky item: I might have considered switching the 2 paragraphs: Have the apology in the opening paragraph and the reason for the outage in the second paragraph.
“I am proud of our dedicated team working to enable our customers’ work, schooling, and social lives during the global health crisis. We are intensely focused on scaling our collaboration and cloud technology to help Zoom reliably connect the world now and in the future. I’m here to get this right and will personally do my best to prevent disruptions like this from happening in the future. Zoom’s availability and reliability is a top priority and we appreciate all of your support.”
This is a fantastic paragraph! They understand how we all use their product and they are dedicated to improving the service so we all benefit.
Lesson: Notice that again it is personalized- the person sending the email is giving a personal guarantee to right the ship. Not just the company but now there’s a name to who is in charge of helping prevent future outages.
President of Product and Engineering”
Lesson: Make sure the email is signed by a person within the organization who has the authority to oversee changes and fix failures. The CEO is always good but in this case Zoom did the right thing by having the email come from the head of Product.
Put simply: This email from Zoom is timely, spells out the problem, apologizes and empathizes with me and promises to work to prevent further outages. Good stuff.
Blackbaud- Poor Customer Service
If you’ve been paying attention to the goings-on in the nonprofit world, you’ll know that Blackbaud was the victim of a ransomware attack. Given the high number of nonprofit clients who rely on Blackbaud’s services, one would assume Blackbaud would immediately let customers know and reassure them that everything is under control.
They did the exact opposite.
Although the attack occurred in May, they only sent out emails to certain clients on July 16. Curiously, those letters started arriving in client inboxes the same day The Nonprofit Times broke the story about the ransomware attack.
My guess is Blackbaud was asked to provide a comment for the story (which they did) a day or two before the story went public. The Blackbaud PR and marketing team- and legal. Don’t forget legal!- then had to scramble and put together an email which was then emailed to… only those nonprofits who may have been affected.
The rest of their clients? They found out about the story via numerous media articles and social media. No official communication from Blackbaud.
Lesson: Don’t do that! 1) Let people know about this kind of attack right away. 2) Tell ALL your clients. Everyone is going to eventually find out. Why make organizations that didn’t receive the email sit around and wonder if their donor information is secure or not?!
Blackbaud: Wait For It, Wait For It… Seriously. It Takes Awhile
According to the above article, Blackbaud is the target of millions of cyberattacks each month. These attacks are not their fault: cybercriminals are always looking to breach systems and hold the data ransom. However, Blackbaud’s customer service in this case was severely underwhelming.
Read the letter below. I guarantee you lawyers were involved in composing it, to minimize Blackbaud’s admission of any guilt and thus being sued. Which is actually what just happened.
The letter was personalized. I have on purpose removed the names of the people the email was sent to.
“We are writing to notify you about a particular security incident that recently occurred. Please review this email for a personalized link, next steps and resources created for your organization specifically. “
Good of Blackbaud to create a special link for some organizations to be able to learn more. Note: This type of link was not offered to all organizations who received the email.
The Cybercrime industry represents an over trillion-dollar industry that is ever-changing and growing all the time—a threat to all companies around the world. At Blackbaud, our Cyber Security team successfully defends against millions of attacks each month and is constantly studying the landscape to ensure we are able to stay ahead of this sophisticated criminal industry. In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attempted attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.”
The first two sentences are inconsequential to readers. The paragraph should have started with “In May 2020…” and right away explained the ransomware attack.
Lesson: Come right out and say it!
“Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data was our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”
A “subset of data from our self-hosted environment” is technology jargon. Speak a language people understand!
But more importantly, the third sentence: Blackbaud paid a ransom demanded by the cybercriminal after receiving confirmation that the stolen data was destroyed. Which of course will set off alarm bells in the heads of those reading the email. The person’s a criminal- Blackbaud is taking them at their word that they’ll destroy what they stole?!
Therefore the below paragraph is necessary to reassure clients that their data is safe.
“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. In accordance with regulatory requirements and in an abundance of caution, we are notifying all organizations whose data was part of this incident and are providing resources to help them answer any questions.”
Just one thing which a reader would automatically ask: Why did you wait 2 months to inform me?! Poor customer service.
“What This Means for Your Organization Specifically
Our public cloud environment (Microsoft Azure and Amazon Web Services) and most of our self-hosted datacenters, products and customers were not part of this incident, but we have confirmed the following specific to your organization:
We have confirmed that the cybercriminal removed a copy of ___ we prepared for your organization. It is important to note that no personal information about your constituents was accessed.
And again, based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. We have hired a third-party team of experts to monitor the dark web as an extra precautionary measure.”
The dark web? I understand that Blackbaud for legal reasons has to add all the above information but it’s not helping to reassure anyone!
Think about it: Every nonprofit that receives this letter now has to let their donors know that their personal information may have been hacked. I’m sure it’ll be “fun” telling these donors that this happened OVER TWO MONTHS AGO and this is the first they’re hearing about it.
Your donors trust you with their most sensitive information. You entrusted that data to Blackbaud. Blackbaud knew about this in May but didn’t inform you until mid-July. If I was a nonprofit executive, I’d be furious with Blackbaud.
“We have created a resource page for you that features a toolkit with a step-by-step guide to help you as you digest this information. It also contains answers to key questions, links to educational webinars (hosted by Rich Friedberg, Blackbaud’s Chief Information Security Officer and Cameron Stoll, our Head of Privacy), information about our future plans, and other resources.”
Future plans?! Considering the language used until now, no one getting this email cares in the least. They’re dealing with the here and now and trying to figure out, how during a time of crisis, they have to tell donors that their data may have been compromised and they’re wondering how this could adversely affect year end fundraising.
“It is unlikely but possible, depending on jurisdiction, that our customers may have to make further notifications to constituents or other third parties. Your toolkit provides a written guide to notification laws and access to a webinar that helps you assess potential notification requirements in your jurisdictions. We advise you to also consult with your organization’s legal counsel to understand any notification requirements. We want to continue to be your partner through this incident. If you determine that you do need to notify your constituents, we have included templates in your toolkit to make it easier.”
All legalese. Not personalized. No empathy. Just consult your lawyer and we’ll help where we can. Ugh.
Lesson: I understand that lawyers need to be involved in the wording of these types of emails. But minimize their overall influence on the verbiage or it comes out sounding impersonal.
“If it has not already happened, someone from our team will be reaching out to your organization directly in the next 24 hours. If you have additional questions after speaking to the team member who reaches out to you today, you can contact the dedicated team we have established for this incident: North and South America: 1-855-907-2099 between 9 a.m. and 9 p.m. ET Monday – Friday”
Additional questions? NO! Say the phone number is open to everyone who needs it. Full stop. Why put boundaries on who can call? This may be a lot for some people to digest in one customer service call. Encourage people to use the hotline whenever they need.
“We understand this situation is frustrating. This was a very sophisticated attack, and while we were able to defend against it for the most part, we realize this is still requiring that you invest time to review the situation, and that you may need to invest time to take follow-up actions. We apologize for this and will continue to do our very best to supply help and support as we and our customers jointly navigate any necessary response to the cybercriminal’s actions.”
FINALLY! An apology. IN PARAGRAPH ELEVEN! Actually, no apology for the fact that they waited so long to tell customers. It’s an apology that maybe some of their customers will “need to invest time to take follow-up actions.”
Is that the best Blackbaud could do? Couldn’t empathize more with what this could do to many of their clients? Everyone is worried about identity theft. When they donate securely to a nonprofit, they trust that organization with personal information.
Yes, hacks will happen. But Blackbaud needed to take a customer service approach. Apologize, offer assistance, empathize, explain in non-tech jargon how they will continue to safeguard personal data in the future.
Chief Information Officer”
At least it was signed by the correct person at Blackbaud.
Zoom understood the inconvenience their outage caused and later on the same day emailed their customers. They apologized and promised to get it right in the future.
Customer service as it ought to be.
Blackbaud was hacked. They do not need to apologize for that. But waiting two and a half months to reveal this to customers, doing so in a very long email filled with legalese, tech jargon and a sorry-not-sorry approach (again, the lawyers), they’ve caused their customers to be angry with them.
A 2-Advil headache of having to tell donors that their personal data may have been compromised is bad enough. Receiving such an impersonal letter from the company you entrust with your most sensitive information? Enough to make some customers consider Blackbaud’s lack of customer service and wonder:
What else is Blackbaud hiding from us?
Year-end fundraising campaign time approaches. Is your website content prepared? Email marketing strategy ready to be implemented? Social media posts planned out? If your nonprofit wants to strengthen relationships with donors and raise more money, then your website, email and social media need to be in sync and ready to go when your campaign commences.
Not sure how to pull it all together? Contact me and let’s plan a successful year-end campaign together!