How Fundraisers Can Avoid 5 Big Mistakes Made by Capital One

Don’t worry. This post really is not about data security. It’s about much more. And I’ve written it for you, a fundraising professional.

But first, here’s some background:

Capital One, the tenth largest banking institution in the USA, announced it has experienced a major data breach involving the personal information of credit applicants and customers. In its official statement, the bank disclosed, “Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada….This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.” In addition, about 140,000 Social Security numbers were compromised. One million of Capital One’s Canadian customers had their Social Insurance Numbers compromised.

The Capital One story presents the nonprofit sector with an opportunity to learn from someone else’s problem. Every charity should learn from the five mistakes made by the bank:

1. Inadequate Data Protection

While Capital One works with Amazon Web Services, AWS says it was not compromised. The hacker exploited Capital One’s own system. The US Federal Bureau of Investigation has a former AWS employee, Paige A. Thompson, in custody. The investigation is likely continuing. What we know for certain at this point is that Capital One’s data protection systems were not up to the task.

As a fundraising professional, I don’t have any idea about what sophisticated data protection tools exist. I suspect you don’t either. However, you have an obligation to make sure that your organization seeks out the expertise to safeguard the organization’s data. Furthermore, you need to make sure your organization has a policy about who has access to data and under what circumstances. I know you won’t have the security systems of a bank, but you do have an obligation to have reasonably robust security protocols in place.

2. Lack of Timely Reporting

The personal data of Capital One credit applicants and customers was compromised from March 22-23, 2019. The company didn’t learn of the breach until July 19. The bank did not reveal this information to the public until July 29. We do not know if the FBI requested that the bank withhold news of the event pending an arrest. If so, the reporting delay is understandable. Nevertheless, the delay from the date of the incident to the date of disclosure was significant, even if it wasn’t the result of an actual mistake.

Fine wine improves with age. Problems do not. Whenever bad news is likely to become public or should be made public, it’s important to do so as soon as possible. This is true for both for-profit and nonprofit organizations. Getting the information out quickly and fully will help the organization preserve or, perhaps, even enhance its credibility.

3. Not Getting Out in Front of the Story

Once Capital One released the news, it did so haphazardly, despite having had 10 days to plan the disclosure roll-out. It issued a press release at 7:11 PM ET on July 29. By 7:41 PM ET, The Wall Street Journal website carried the news story. Other media outlets ran the story around the same the time. However, Capital One did not tweet the news until 8:43 PM ET. Therefore, when I first checked the Capital One Twitter feed, there was no mention of the story.

Even once the company addressed the general public, rather than just the news media, it did so with a bland tweet that simply read, “If you want to learn more about the Capital One cyber incident, please visit” along with a link to its press release and Frequently Asked Questions page.

The company did not issue an eye-catching alert. The company did not disclose the nature of the “incident.” The innocuous language and low-key look was also used at the top of the Capital One homepage. Assuming they actually spotted the mention, readers had to click through to the press release to find out what happened and, then, to the Frequently Asked Question page for additional information.

If something goes wrong at your organization, make sure you deliver your message on all the communication platforms your organization uses. Make it easy for folks to spot the information. Furthermore, make it easy for them to get more information by giving them a number to call or an email address, perhaps setting up both as hotlines for the occasion.

Capital One could have provided the public with the news without forcing folks to click through to the press release and then click over to the FAQ page. The bank could have also tweeted out tips for how its customers can protect themselves. Instead, the company is making people work a bit for the information. Don’t make the same mistake. Get people the information they need when they need it, and make it easy for them.

When something goes wrong involving your organization, whether or not it is to blame, you need to get out in front of the story in as coordinated a way as possible. At the point you alert the media, be prepared to take your message directly to the general public at the same time.

4. Delivering a Corporate-Speak Statement

Capital One wrote its press release using corporate-speak. For example, it included this tepid apology from Richard D. Fairbank, Chairman and CEO of the company:

While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Can you feel his regret, his concern for customers, and his commitment to making things right? I can’t.

When you do go public, don’t just recite the cold, hard facts. Be prepared to share your emotions. Express heartfelt regret, show genuine concern, and demonstrate an honest commitment to fixing things by outlining first steps being taken.

5. Not Providing Easily Accessible, Useful Information

Capital One is forcing the public to make multiple clicks so they can wade through its press release and FAQ page to get the needed information. Instead, the company could have put the essential facts and helpful tips in an easy to understand bullet format. More detailed information, such as the press release, could have been provided on another page for those interested. Its social media messages could have delivered actual information rather than simply leading readers to click through to the company website.

We live in an information age. If your organization has news to share, share it. Don’t make folks jump through hoops to get it. Don’t make them wade through your corporate-speak message to find the nuggets of information that will really matter to them. Get the information out everywhere. Don’t make it the news media’s job instead of yours. Own the story and make the information useful and easy to get.

Bonus Thoughts

As I reviewed this post, I realized something else. While I’ve focused on why you should avoid the five communication mistakes Capital One made when reporting bad news, I realized that items two through five are just as relevant when delivering good news.

When delivering good news, timeliness is still important. Capitalize on the excitement of your good news before it fades or leaks. Get your story out on your terms so you can craft the message to maximize benefit. When you do announce your news, avoid corporate-speak. Imagine that you’re delivering good news to your family. What words would you use? What would your energy level be? Would you be emotional (i.e., excited, happy, etc.)? To make sure your news has the desired impact, make sure it captures the public’s attention, make the information easy to get, and provide a benefit to the recipient. In other words, make sure they understand what’s in it for them. Also, tell them how they can get more information.

Fundraising is all about building solid relationships. That means engaging with prospects and donors in a meaningful way whether you need to deliver bad news or good. Capital One obviously hasn’t figured this out. However, you can learn from its mistakes. Even if your nonprofit has a communications department, you’re the fundraising professional. That means you’re the one ultimately responsible for managing your organization’s relationships with prospects and donors. So, make sure that everyone in your organization is communicating with a sense of how they can engage prospects and donors in a way that delivers value to them and maintains their trust.

For additional insights about the importance of solid communication to the fundraising process, you might want to read the following older posts:

What is the Most Important Thing You Can Learn from Recent Nonprofit Scandals?

Does Komen Have a Communications or Integrity Problem?

That’s what Michael Rosen says… What do you say?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: