When customers trust you with their personal data, they are expecting it to be protected. This means your response to a data breach is imperative and can make or break the business’s reputation. In a survey by Experian, 66% of respondents said they would “stop doing business with a company that had a slow or ineffective response to a data breach”.
In the event of a data breach, one of the most crucial steps in your incident response plan is to alert your customers and the general public. Failing to do so can be damaging, but doing this correctly can definitely save face. Australia’s Red Cross was highly praised for its honesty following a data breach in 2016.
Execution is imperative. And with this in mind, here are some best practices for communicating a data breach with your customers, the wider public, and the ICO.
The very first step is to of course inform the ICO. From the time of the breach, you have 72 hours to report it – and the sooner you do, the better. If you’re unsure of whether you are required to report it, you can use the ICO’s free 2-minute self-assessment tool.
If you do need to report it to the ICO, you’ll be required to answer the following questions:
- How the breach happened
- How many people are affected
- The type of data that’s involved
- The variety of categories of information that are involved
- How likely it is that individuals are going to be affected by that breach
After this, you’ll need to decide whether to tell your customers. If the data stolen is no more than a name or isn’t of any risk to the customer, then there is no obligation to notify them. However, you are required to record the incident.
How to tell your customers
As well as reaching out to your customers to personally inform them, there should also be formal communication that is sent to the press. Whether this be in trade magazines or more widely is dependent on the severity of the breach and the size of the business.
“Today’s consumers expect quick notification and a company’s full transparency around the breach: how it occurred, what data was exposed or vulnerable, how long the breach lasted, what is being done to shore up cybersecurity defences so that it never happens again and, critically, live human beings who can answer anxious customer questions in real-time over the phone, live-chat or email,” said T.J. Winick, senior vice president at strategic communications firm Solomon McCown & Cence.
Experian argues ‘an old-fashioned letter, can be the most effective and trustworthy way of informing your customers.’ Although this will take longer to be received than an email or text message, they argue that an email or text can create a ‘feeling of heightened lack of trust in the customer, who could review it as a scam.’
However, this is dependent on whether your customer records are up-to-date. Experian’s research has shown that over half (53%) of businesses do not have clean customer data. This not only applies to home addresses, but also email and phone numbers. Experian recommends frequent data cleansing, ‘such as address verification and mortality checks’.
What to tell your customers
Be transparent, take accountability, and offer support.
Ensuring you have all the facts before making a statement is crucial to rebuilding trust. Should you make a mistake in your initial communications, any retractions may come across as deliberate concealment of the truth, or as though you don’t know what you’re doing.
Use simple, clear language with limited cybersecurity jargon, and be honest about any gaps in knowledge, as well as what actions you’re taking to fill those gaps.
Taking accountability is also crucial – dismissing or downplaying a breach’s severity is never a good idea. A prime example of how not to handle a data breach is the recent case of an Indian digital payment company, MobiKwik, who publicly dismissed a security researcher who recently discovered 8.2 terabytes of user data on the dark web, as a result of a data breach.
“A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention,” MobiKwik tweeted. “We thoroughly investigated his allegations and did not find any security lapses. The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company.”
After threatening legal action against the security researcher that discovered the breach, the company then added insult to injury by shifting the blame onto users in a follow-up blog post, claiming that the breach could be due to users ‘upload[ing] their information on multiple platforms’.
And finally, offer support to your customers should they need to take action to minimise further risk to their information. Tell them exactly what steps they need to take next, and extend support centre hours as much as is possible. Keeping the lines of communication open and answering any questions they may have will help to rebuild trust.