While businesses are increasingly creating cyber defence playbooks, customer remediation in the aftermath of a data breach is key to protecting brand reputation.
When it comes to data breaches, there are some events you can never stop like an employee clicking on a phishing email. However, there are certain actions you can take while anticipating a data breach like having good data hygiene and good policy procedural protocol that will go a long way in helping you deal with a the aftermath of a data breach.
There is an entire set of things that businesses are still not doing, which will help them deal with a data breach. And it is all about communicating with those who have been affected, says Jim Steven, Head of Data Breach Response at Experian.
“We have seen that the size and scope of the business and its infrastructure doesn't matter because a data breach can be triggered by human error and can be something as tiny as putting the wrong letter in the wrong envelope.
“The challenges being faced by businesses when they have had a data breach, surprisingly, also includes the quality of customer, supplier and employee contact data, to enabling the successful notification of those affected.The questions that businesses need to ask themselves at the outset are: Can we contact them at all? And how good is our data to be able to facilitate this conversation?
“In the aftermath, it is important for businesses to set the tone of the conversation with their customers and decide how they would want to drive communications around the data breach, whether to inform by letter, via their website, personalised emails or phone calls.
“Businesses usually feel that getting in touch can be the act of sending off a piece of communication simply stating what has happened, whereas this isn't the case. When a business finally informs its stakeholders, the management of the communications to the different groups can be challenging. When you look at the different stakeholder groups eg. employees, ex-employees, current and previous clients, different brands within the same group, consumers, and the Board it can take some effort and in the heat of the moment can be challenging.
“Once the initial contact has been made, there will always be a group of individuals who would want more information - the business needs to consider if it has enough resources and experienced experts to speak to them by phone and potentially across other media including social, etc.
“A decision also needs to be taken to see if remediation can be put in place, including credit and web monitoring services so those affected can check on an ongoing basis whether anyone is trying to fraudulently use their personally identifiable information to steal their identity or gain access to credit such as a loan.
“The priority for businesses is to put a data breach readiness plan in place to ensure they have the right experts in place and can quickly put the response into action when the worst has happen. Those businesses who focus well in advance on their planning will have some comfort that they will be able to let people know, which is a priority in any environment where expectations undoubtedly will be running high.
“More joined up thinking and a few different playbooks are needed. With focus still very much placed in the IT arena the other key experts needed on the team are Legal, IT forensics and insurance experts.
Companies tend to underestimate how long it will all take to navigate these groups. Those businesses who are more complex in structure may need to think about communicating across different audience types, in different languages across different jurisdictions and then gain legal counsel to approve these. This adds another layer of complexity that on the surface may not be considered, it’s then they realise the depth of crisis communications.
“Examples of this is drafting the most frequently asked Q&As by the legal team, which takes time. Simply printing letters and posting them is time consuming. Businesses need to assess if their call centres can take that many calls not everything can be quickly mobilised or done all in one go.
“Reassuring customers who might not have received communication and take to social media to complain is another worry for organisations these days, and that is why the merits of having at least 3-4 playbooks cannot be emphasized enough.
“In the post-breach environment, all forms of communication sent out by a business including letters, emails, text messages are important as well as the presence of a robust contact centre that will be able to handle questions with confidence and ultimately reassure those who have been affected.
"I am looking forward to sharing with you my observations and providing practical insight about how to prepare in advance at the #teissR3 in September."