If your business was to fall victim to a data breach, would you be prepared to notify your customers? While having an incident response plan is key, so is good communication...
Over the past week, we’ve seen several examples of high-profile businesses falling victim to data breaches. The fact they were breached in the first place is not surprising as virtually every business that operates online is at risk of cyber-attacks. What’s more surprising is how some of these breaches have been managed – particularly in regards to communication.
With changes to New Zealand’s Privacy Bill expected to come into effect in the next 12 months, businesses should already be starting to put some serious thought into what they would do if they were to fall victim to a data breach. Creating an incident response plan is a great place to start.
What this incident response plan looks like will vary from business to business, but at the very least it should give key stakeholders within your business a clear plan and overview of what needs to be done, by whom and when.
From a communications point of view, an incident response plan should do one thing: reassure your customers that you care. Based on what we’ve seen in the news of late, some have failed at this. Good communication is a key part of any crisis or incident response function. Without it, people are left asking questions, they make assumptions and they feel disregarded – all of which will ultimately affect how they view your business; and whether they choose to interact with it in the future.
So, how do you reassure your customers in the event of a data breach?
1. Act Fast
If your business were to be breached and sensitive customer data (credit card details, address, passwords etc.) has been compromised, act quickly and let customers know as soon as possible. Don’t sit on it for weeks or months, work with your IT team or an external security provider to quickly gather the facts, recommend a course of action and notify customers.
In the case of the Ticketmaster breach, I received an email notifying me that my credit card details may have been compromised and that I needed to reset my passwords as a precaution. This is what I would expect any company I do ‘business’ with to do in the event of a breach – particularly if my data is affected. Am I a concerned that my credit card information may have been breached? Yes. Will I stop using Ticketmaster because of the breach? No.
2. Be Transparent
Don’t leave room for interpretation, provide all the facts and outline the issue so customers know what has happened, what data has been affected, when and how. Trying to cover up the severity of a situation will only make things worse.
3. Just Say Sorry
All too often, businesses struggle to do one simple thing: apologise. Put yourself in your customers’ shoes. Is the breach your fault directly? Probably not. Does this mean you shouldn’t apologise for the inconvenience? No. For the average person, a breach of their data is a violation of trust and privacy, particularly if any personal information is involved. Business and personal relationships are really quite similar - as with any situation where you may have unintentionally done something to upset someone– it’s best to say sorry, acknowledge the incident and outline what you are going to do about it (full review, increase security, change third party providers).
4. Over Communicate
If the incident isn’t resolved, or if there is still risk, let customers know that the situation is ongoing. It’s also important to let them know how you plan to update them so they know where to look for updates. These could be email updates, a dedicated page on your website or Twitter updates. Ideally it should be a combination of several forms of communication as not all people are on Twitter, for example. If the issue is widespread and a large number of customers’ sensitive data has been affected, you may need to consider running notifications in the media (similar to what happens with a product recall).
Responding to a data breach doesn’t have to be complicated. Having an incident response plan in place to deal with cyber-attacks and data breaches is part and parcel of doing business today. Of course, when compulsory data beach notification comes into play here in New Zealand, it will also be non-negotiable – so why not get everything in line now?
Remember, it takes a long time for businesses to build a good reputation. Without a good plan in place to deal with customer communications in the event of a data breach, businesses are putting their reputation at significant risk.