Communicating With Customers After a Data Breach
Originally posted July 11, 2013 by Catherine Dunn on http://www.law.com
Let’s face it: there’s a pretty good chance your company will experience a data breach at some point (if it hasn’t already). But just because you lost a trove of valuable data doesn’t mean you have to say goodbye to an even more important asset: your customers.
There’s certainly a real risk of that happening, according to Michael Bruemmer, vice president at Experian Data Breach Resolution, which has handled about 1,700 breach incidents in the past year. “The number one cost in a data breach is the loss of revenue, or the impact to [the company’s] brand,” he says.
Which is why responsiveness is important. After an incident, a company has a better shot at maintaining its relationships with customers if it responds appropriately. And just what do consumers want from companies after a breach? They can accept the fact that such incidents can and will occur, explains Bruemmer, but in return, “they want to be taken care of.”
First, let customers know—promptly—if their personal data was breached. Note that Bruemmer isn’t an attorney, and Experian doesn’t provide legal advice to clients; for that he recommends clients engage outside privacy counsel, particularly given the wide variety of state and federal laws governing data breach notification requirements.
That said, think about what it would it take to start re-building trust with a customer whose data has been affected. “I always recommend that people be up front,” Bruemmer says.
Next, be prepared to answer consumer questions, in plain language. Customers will want to know how and why a breach happened. They’ll want to know what steps they can take to mitigate any damage, such as cancelling credit cards. And they’ll want to know what the company is doing to help them, like offering free credit monitoring services, for example.
Finally, stay in touch. Affected consumers will want to see that the company is providing an ongoing “lifeline” to them, says Bruemmer, in order to resolve any problems that arise later on.
A recent studyby the Ponemon Institute and Experian, however, found that many companies were not up to the task of communicating with affected customers after a breach. Among the 471 respondents, only 21 percent said they have a communications team that’s trained to assist in breach response, and only 11 percent said they verify that contact with each breach victim is completed.
So put together an incident response team ahead of time. According to Bruemmer, team members should include internal department heads, outside privacy counsel, a forensic investigations vendor, a data breach resolution vendor, and possibly a PR specialist.
Designate a single spokesperson for both internal and external communications who can “quarterback the team,” Bruemmer says. Then make sure everyone knows their parts before putting it into play with customers. “Unless you practice that plan, it’s no good,” he adds.