Amid the remembrance of the September 11, 2001 terrorist attacks this past weekend, much was made of the voluminous 9/11 Commission report, which described in excruciating detail countless ways in which the United States homeland security and emergency response infrastructure failed to respond adequately to a disaster of unprecedented proportions. The “system” as it existed at the time broke down, with every point of failure costing innocent lives. The lesson of the report was clear: Preparation is everything when disaster strikes, and we as a nation were caught woefully unprepared to deal with a large-scale terrorist attack. This principle is no less true of businesses than government agencies; particularly in the decade following 9/11> Large corporations have made it a priority to invest considerable resources in disaster recovery plans, crisis manuals, business interruption insurance and so forth.
There are many kinds of business crises beyond the natural disasters and acts of terrorism that come to mind. Consider the far less serious, but still newsworthy, disaster that befell startup Airbnb this summer. A darling of the tech startup community, reportedly valued at more than $1 billion with investors including Greylock Partners, Sequoia Capital, Andreessen Horowitz, and DST, Airbnb is an online marketplace that facilitates short-term rental of properties such as members’ homes or apartments. The incident involving a woman, “EJ” whose apartment was ransacked by short-term tenants who booked a stay through Airbnb was promptly dubbed “Ransackgate.” The company was savaged by critics for its initial mishandling of the incident; reportedly, she got little response or assistance until she published a blog post on the subject, which spread virally and became a serious embarrassment to the company. (I couldn’t resist calling the company “AirB&E” after that—look it up.) Even then, some of the responses appeared to focus on silencing the victim and denying responsibility.
How could such a well-regarded, highly successful startup be so inept in its response to an entirely foreseeable customer risk/abuse incident that was guaranteed to happen sooner or later? The answer, I believe, lies in the “echo chamber” nature of Silicon Valley, early adopters, the startup community, and the tech business press. Much has been written about the cooperative nature of Valley culture, and Airbnb itself was an outgrowth of the couch surfing movement. As with almost any online community, the well-meaning early adopters arrive first, and if all goes well, a culture of respect evolves — together with some snark and skepticism — that keeps behavior within relatively civilized boundaries. The trouble comes when a site becomes wildly successful, going from 1,000 closed beta members to 100,000 or 1,000,000 users. As it grows, any service will come to resemble a diverse cross-section of the general population, with all of the good and bad that entails. I wrote about this phenomenon in a previous blog post, “If You Build It They Will Abuse It,” which bears revisiting in the wake of “Ransackgate.”
Why wasn’t Airbnb better equipped to respond swiftly and effectively to the incident? The primary answer, in my view, lies in the vastly divergent cultures of startups vs. established businesses. A startup is in the business of creating value from nothing – or, as Steve Blank describes it, “searching for a repeatable and scalable business model.” Large companies focus on protecting and expanding upon their existing successful business. A startup that has found product-market fit needs to transition quickly into that category, with operational excellence taking precedence over bursts of creative brilliance. The very best startups, such as Facebook, have been able to make this transition gracefully even without changing CEOs. I give Mark Zuckerberg tremendous credit for that accomplishment, together with Sheryl Sandberg and the rest of Facebook’s senior team.
We lawyers are often rightly criticized for being excessively conservative and risk averse in pointing out everything that could go wrong. In the startup world, seeking to eliminate all risk is a hallmark of big company or big firm lawyers who don’t get it. When speed of execution and efficiency are paramount, the eternal grind of that style of lawyering is excruciating. Yet when it comes to risk management of user communities – content, community or commerce – failure to be looking around the curve ahead can result in pretty ugly crashes.
As it gains traction, every social or consumer internet startup should pause at some point and take stock of risk and abuse issues, viewed as broadly as possible. It doesn’t necessarily mean hiring an expensive consultant (or even a lawyer) with deep expertise in the area, but applying a mindset of pessimism and paranoia is helpful for purposes of this thought exercise. Essentially, get inside the bad guy’s head. Some concrete steps:
- Make a list of the most obvious ways in which someone could abuse the service, either with a specific objective in mind (e.g., Nigerian money transfer scam) or out of simple malice or mischief.
- Compare notes with the rest of the team, and with external experts if possible, to see what you might be missing. Sometimes the elephant is right there in the room with you.
- Recognize that the nature of the user base will change over time, and you will become a victim of your own success. Resign yourself to the notion that almost every bad thing you can think of will occur sooner or later if the service scales to the point of hundreds of thousands or millions of users. This is one time the entrepreneur’s unflagging optimism is not helpful and is actually downright counterproductive.
- Create a feedback loop between users reporting misconduct, community managers or moderators, and senior management to stay abreast of abuse issues as they grow and morph over time.
- Empower users to spot and report issues of all kinds. The greatest strength of consumer internet businesses is the sheer quantity of information that can be collected, either using analytics or through voluntary reporting by users who genuinely care about the community. Consider “deputizing” some of them with limited administrator powers. Perhaps most importantly, listen.
- Crucially, prepare some kind of disaster response plan to keep in your back pocket ahead of time. Speed of response can be critical when a PR disaster like “Ransackgate” strikes. If nothing else, determine who is on the core team to respond to any ugly abuse incidents. Most companies caught flat-footed do one of two things: Say too much or say too little. Too little usually results from well-intentioned legal advice to not to admit anything in the event of litigation. Often a company will lose more as a result of reputational damage than it would spend having to defend or settle a lawsuit.
- In the age of social media, word travels lightning fast of this kind of incident. With a prompt, helpful response, that can be turned to your advantage. Take a look at Better Business Bureau complaints and notice how many incidents are ultimately resolved to the customer’s satisfaction. That’s generally a business’s attempt to preserve its good BBB rating. Any business with a large number of customers will have some who are dissatisfied; handling them in the right way can turn them from vocal critics who damage your brand to some of its most ardent cheerleaders.
- Plan more specific responses to the single most likely (or better yet, top 3 or top 5) kind of abuse or fraud incidents based on the unique nature of your business. Large companies sometimes sketch these out in hundred-page disaster manuals. That’s overkill for a startup with limited resources, but recognizing the need to come out with an immediate statement and involve the right people is a big head start.
- Tone is everything. Showing empathy, admitting that nobody is perfect, expressing an earnest desire to make things right, and actually taking care of the squeaky wheel to his or her satisfaction speaks volumes about a company and how much it cares about its customers.
- Know where to draw boundaries. No company will make 100% of its customers happy 100% of the time. Develop a think skin regarding (a) garden-variety commercial disputes, which are devoid of any news value, and (b) true nutcases, of which there will be plenty.
To its credit, Airbnb came out with a long list of improvements in the wake of “Ransackgate,” but only after sustaining serious damage to its reputation that undermined confidence in its entire business model. More than fifteen years into the consumer internet revolution, there is no excuse for not foreseeing and preparing for the kind of incident that major players in online dating, auctions, and similar businesses have been dealing with since the mid-1990s. Financial, legal, and reputational consequences await those who are reactive rather than proactive, and competitors will take advantage of each misstep. As TechCrunch wrote in Airbnb’s case, “The hotel lobbyists couldn’t ask for anything more.”
This article is for general informational purposes only, not a substitute for professional legal advice. It does not result in the creation of an attorney-client relationship.