Why You Need to Treat a Breach as a Customer—Not a Compliance—Issue
A breach happens. In my experience dealing with breach resolution, this means companies run to call forensic investigators, legal counsel, law enforcement and others. Then the breach notices arrive. Without the proper channels in place for a smooth and quick resolution, unfortunately I’ve seen consumers rush to call the media, litigators and the competition.
When all runs smoothly, you know you’re handling the technical and regulatory sides of breach response with aplomb. However, as I’ve seen time and time again, what you might be falling behind on is the consumer engagement side of breach response, and that’s when your customers start making calls.
Companies need to reevaluate their breach response or face the fallout—to the tune of more than $3 million. That’s the average amount a data breach costs a U.S. company in lost business as a result of reputation damage, abnormal customer turnover and related expenses. It’s no small sum, because your brand’s reputation is no small thing.
It’s not always easy to own up to what happened in such an open, honest way. So here’s the challenge for all companies moving forward: Start treating privacy and breach response as a customer issue—not just a compliance issue. It’s time to update core practices to be prepared for and mitigate the damage of an incident beyond just checking the compliance box.
Incidents are making front page news from local papers to national headlines. In fact, with the recent Data Breach Report from the California Attorney General, it’s likely that we will continue to see more and more conversation. Just imagine waking up to the morning newspaper with a front-page headline reading (aka screaming) something along the lines of, “Would You Trust Your (Business/Life/Health, etc.) to (Your Company)?” You get the idea—just fill in the blanks. Inside the story are plenty of customer complaints, and stakeholder scrutiny isn’t far behind.
As the customers drop off, the damage in lost business costs add up. And it can all take years to overcome.
There is a touchy feely side of managing fallout from a data breach. Put yourself in their shoes. Are they going to be happy with what you have to say in your breach notice? Are they going to feel cared for and protected? Are they going to have any reason to jump on the breach litigation bandwagon?
In other words, don’t treat your breach population like they are just another technical component of the incident to handle. Treat them like people.
How can companies take steps beyond a compliance-only response? It comes down to three key areas—start on the right foot with your customers, enable the proper tools to ensure they can protect themselves and keep an open line of communication.
- Detailed breach notice. This is your chance to set things right with the breach population. While there are certain industries that now have strong regulations about disclosure, remember to keep the end customer in mind, not just the potential fines. Have a plan in place to be able to readily communicate—what happened, what you’re doing to fix it and how you’re taking steps to ensure it won’t happen again. Essentially, answer the question that’s now in the consumer’s mind, “Do I still want to continue my relationship with this company or take my business elsewhere?”
- Well-rounded identity protection. Consider providing everyone in your breach population a meaningful means of protection, such as identity protection with credit monitoring and ongoing fraud resolution. Be sure to tailor the identity protection to the type of data that was lost. That way, members of your breach population can feel confident in their security and in continuing to do business with you.
- Reassuring customer experience. Consumer-centric breach response doesn’t have to end with the breach notice and identity protection. Let your breach population know you’re there, really there, for them. Hire a call center that’s available seven days a week so your own internal staff isn’t overwhelmed with calls. Set up a website to answer frequently asked questions about the breach. In essence, don’t hide from your breach population. Embrace them.
While you are liable to do certain things following a breach, you can also step up and go the extra mile for members of the breach population, helping to ensure the longevity of your relationship with them through good times and bad.
Note from the Editor:
For more information about responding to a breach, see Close-Up: Responding to a Data Breach.
About the Author
Michael Bruemmer, CHC, CIPP/US, is Vice President with the Experian Data Breach Resolution group. A veteran with more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management Board, the International Security Management Group Editorial Advisory Board and the International Association of Privacy Professionals Certification Advisory Board.