Customer relationship in the event of a data breach: what NOT to do
Data breaches have become an unfortunate fact of life. But just because data breaches happen every day doesn’t mean your own company’s incident isn’t big news that needs to be handled with great care. When responding to a cyber incident, a public relations mistake can multiply the damage significantly.
Here’s an overview of some bad behavior you’ll want to avoid:
DON’T just do the bare minimum.
Some companies try to keep a data breach relatively quiet by meeting only the minimum legal requirements and hoping it resolves. In reality, it is much more likely to explode than to collapse.
“Often, breach notifications are only made due to mandatory legal reporting requirements and those requirements can vary significantly by jurisdiction,” says Ryan R. Johnson, data privacy attorney and chief information officer. confidentiality at Savvas.
Johnson says some U.S. State Data Breach Notification Laws set very narrow reporting parameters such as mandatory notification triggered when specific types of personal data have been viewed by unauthorized parties. In comparison, other states give organizations wide latitude in a “risk of harm approach,” which allows the breached organization to decide whether to notify customers.
“Simply put, it’s up to a business to determine whether customers would be affected by compromised data in a breach,” Johnson says.
And remember: some data breaches do not include any personal information. Intellectual property violations, for example, could impact entire supply chains.
DO NOT minimize potential damage.
It is rare to know the full extent of the damage during or immediately after a data breach. But the hope is often high that the breach is not as serious as it seems. Don’t start minimizing harm in your initial disclosure to affected customers. If you do, you might face a worse situation later.
“TJX management in the United States would probably admit that its response to the [breach of 45.6 million credit card numbers] in 2007 didn’t go well,” says JD Sherman, CEO of password manager Dashlane. “Although they communicated in a timely manner, they underestimated the impact in their initial communications, making the news that the breach was much larger even harder to swallow.”
DON’T be a profiteer.
“A terrible way to handle a breach situation is to not handle it at all,” warns Cassandra Morton, senior vice president of customer success and service delivery at NTT Application Security. “Worse still is using the event as an opportunity to sell a series of new tools and services in an attempt to fix the situation.”
Also, don’t dangle free services as a way out. After their 2017 breach that exposed social security numbers, birthdates and addresses belonging to more than 40% of the US population, they took their time to reveal that Equifax was offering victims free credit monitoring (provided, ironically, by Equifax themselves), but only if the victim first provided their credit card number and waived any right to take legal action against the company. After public pressure from regulators and advocacy groups, Equifax later removed the arbitration clause.
DO NOT disclose too late.
After a data breach, time is running out. If notification – to regulators, law enforcement, media, and/or affected customers – is mandated by regulators, your penalties can increase significantly over time. (The European Union’s General Data Protection Regulation may require you to report the news to the authorities within 72 hours of discovering it.)
Sometimes law enforcement investigations will prohibit you from notifying affected customers immediately, but don’t delay unduly. Other damages may result from the use or sale of this data elsewhere. If you delay notifying your customers, third-party vendors, or others affected by the data breach, you are setting the stage for increasing harm.
“The worst way to handle notification is not to send at all or exceptionally late. This approach will immediately increase the level of consumer mistrust,” says Ron Tosto, CEO and Founder of Servadus, a cybersecurity and compliance consultancy. “The message in the notice is that your organization is hiding something and the information may contain misrepresentations.”
“There were examples of notifications two years after the fact and only after an investigation revealed an omission of exact details,” Tosto says.
“The other approach is to avoid blaming or giving false credit to sophisticated hacking methods. Statistics show that flaws are common with vulnerabilities unpatched for six months or more,” Tosto adds.
When the Equifax credit bureau discovered a breach in 2017 that exposed social security numbers, birthdates and addresses belonging to more than 40% of the US population, they took their time disclosing it. They waited 40 days
However, if your company remains silent about a data breach unless and until the media gets wind of it and announces it publicly, or if news breaks and you still take your time sending those notification letters, you’ve probably created a public relations nightmare. .
“The worst way to deal with customer notification is for customers to first hear about it in the news and then receive notification — weeks or even months later,” Johnson says.
The golden rule
Fortunately, all these bad tricks can be circumvented by simply relying on the golden rule.
“Customers often get angry and lose faith in organizations that aren’t transparent, don’t communicate action, or play the victim,” says Megan Paquin, APR, CPRC, head of the company’s crisis management team and vice president of Poston Communications, a public relations agency and crisis communications company. “They understand that the criminals are behind these attacks, but they need to be sure the companies have their backs when it comes to the privacy and security of their data.”