Crisis Communications (#40)
Garmin International (https://www.garmin.com/en-US/ ), is a company that “brings GPS navigation and wearable technology to the automotive, aviation, marine, outdoor and fitness markets.” Since Wednesday, July 22, the company has dealt poorly with a ransomware attack. Headquartered in Olathe, Kansas, Garmin is publicly traded on NASDAQ. According to MacroTrends, Garmin’s annual revenue for 2019 was $3.758B and their net income was $952M. The company’s 13,000 employees are led by Clifton Pemble, the CEO. I do not own a position in the company, but I do own a Garmin watch, own a bike computer, and use their software to upload my workouts to Strava and Training Peaks. The attack and the company’s disappointing response has caused the stock to lose 5.57% since Thursday. In an interesting twist, their 2nd Quarter Earnings Call is Wednesday, July 29 at 10:30 AM EDT.
The fundamentals of crisis communications are communicate early and often; address your customers, employees, local communities, and news media; and be as transparent as possible. Garmin, however, has executed a textbook example of how NOT to do crisis communications, starting late on Wednesday, July 22 after discovering the ransomware cyber attack.
Here is the Garmin Crisis Timeline:
Hit by a ransomware attack (supposedly WastedLocker ransomware with a $10M ransom) on July 22, at 11:30 PM EDT. This attack denied the Garmin servers. On the benign side, the servers enable athletes to upload their workout data through the Garmin Connect app (If you need the workaround DC Rainmaker has a great article — https://www.dcrainmaker.com/2020/07/how-to-upload-your-garmin-workout-during-the-outage.html ). On the more serious side, the lack of servers prevented Garmin Aviation and Marine customers from updating their maps with the latest data; disrupted the Garmin Pilot app, which pilots use to schedule and plan flights; suspended the operation of Garmin support centers and call centers; and stopped Garmin production lines in Taiwan.
Garmin published two tweets on July 23 at 8:35 AM EDT (The tweet states “We are currently experiencing an outage that affects Garmin Connect, and as a result, the Garmin Connect website and mobile app are down at this time.”)
Banner on the Garmin website added (est. July 23 at 8:35 AM EDT)
Guardian Article, July 24, 3:49 PM — https://www.theguardian.com/business/2020/jul/24/smartwatch-maker-garmin-hit-by-outages-after-ransomware-attack
Forbes article, July 25, 6:18 AM EDT — https://www.forbes.com/sites/barrycollins/2020/07/25/will-garmin-pay-10m-ransom-to-end-two-day-outage/#368e9efc3164
Garmin Tweet with Link to Web FAQ, July 25, 3:00 PM EDT — https://www.garmin.com/en-US/outage/
Training Peaks and Strava (two platforms that use the Garmin data) post and tweet about the outage and work arounds, July 25
No update on the Garmin Blog as of July 27 at 5:30 AM EDT
No Garmin email sent as of July 27 at 5:30 AM EDT
No statement from the CEO as of July 27 at 5:30 AM EDT
As a counterpoint, when Home Depot discovered that 56 million customer’s credit card data had been compromised in 2014, the company notified its customers even before they had fully confirmed the breach. The next day they provided a web post and the day after the CEO held a press conference. Since then, the company has been recognized for its honest, accurate, transparent, and timely communication during the crisis.
In my view, Clifton Pemble, Garmin’s CEO, should have been front and center on multiple platforms explaining what happened, what Garmin is doing about it, and estimates on when Garmin is going to restore their services. As a battalion and brigade commander, I felt it was one of my most important roles as a leader — communicate the organization’s story, both during positive events and negative events. Instead, five days later, the CEO remains silent.
Garmin clearly didn’t have a standard operating procedure for their crisis communications, especially dealing with a ransomware or denial of service attack. If you are a small or medium sized business it is worthwhile to revisit your standard operating procedures for crisis communications, organize it using the OPORD format (https://www.thefivecoatconsultinggroup.com/the-coronavirus-crisis/the-opord ) and make sure you and your team know the plan:
Crisis Communications Plan OPORD
Scenario _________________
Situation: (Each crisis you prepare for would have a different situation)
Mission: (Who, What, When, Where, Why)
Execution:
Leader’s intent
Purpose (A slightly broader why then the one used in the mission statement.)
Key Tasks (The How)
End State (What does success look like?)
Where do you assemble the team during the crisis? Who is part of that team?
Who is your spokesperson? The CEO? A member of the PR or Marketing Team?
Remember during the crisis the media’s and the public’s interest evolves:
First 12 hours — what happened?
12-24 hours — who are the key players and what are their roles?
24-36 hours — why did this happen?
36-72 hours — evaluation of response efforts
How are we going to communicate in the crisis to:
The customers
The employees
The local community near where we work
The market
The board
Other businesses that are impacted by the crisis
How are we going to communicate on all the platforms:
Twitter
Facebook
Instagram
Web Page
Email
Our App
Traditional media
Draft messages at 12, 24, 36, 48, and 72 hours
4. Admin, Logistics, and Communications
The almost real-time example of Garmin’s poor crisis communications has caused me to lose a little respect for their brand. I am still waiting for them to get back on-line, communicate with me, and enable me to easily upload my workouts. It is also a good reminder to revisit (or build) your company’s crisis communications plan and make sure you and your team are ready to react to a hack, a hurricane, or other disaster.