Data Breach Response: Seven Guidelines for Regaining Customer Trust After a Breach
Kroll Global Fraud & Risk Report 2016/17
Your organization works hard to produce an outstanding product or service. You go the extra mile to give customers a great experience. You’re always looking ahead to what you can do better. And then a data breach hits. Maybe someone on the team loses a laptop or device that is loaded with customer data. All that good will and trust built on your performance is at risk of evaporating before your eyes.
You wouldn’t be alone. More than 85% of respondents to Kroll’s 2016 Global Fraud and Risk survey said they had been a victim of a cyber attack in the past 12 months. Equally troubling, 67% also indicated that the event had a significant negative impact on their organization’s reputation.
There may never be a more critical time to focus on your customers’ needs than in the aftermath of a data breach. A careful response that incorporates the following seven guidelines will help regain your customers’ trust, rebuild confidence, and ultimately strengthen the relationship.
1. Notify in a timely, but responsible, manner
If you have complete certainty about the scope and nature of the compromised data, you should move swiftly. Customers expect you to inform them as soon as you know. However, it is counterproductive to underreport and have to follow up with additional disclosures, or to distress customers with false alarms. It’s better to investigate with urgency and then notify as necessary. For example, a Kroll client had 35 laptops stolen, and initially believed data for 2 million people had been compromised. Our investigation proved that data for only 1,500 customers had been taken.
2. Build credibility
Be sure to cleanse your data; sending multiple notifications to an individual can cause them to question your overall ability to manage their data. Your credibility can be at stake in many other ways. Kroll worked with one company that spent several months chasing the “best deal” from numerous vendors to handle the various components of a large breach. While the ultimate response covered all regulatory bases, the company suffered considerable criticism for its slow actions and eventually settled a related class-action suit. It had conveyed a message that saving money was more important than protecting its customers.
3. Customize your communications for segments of the affected population
While it is tempting to set up a one-size-fits-all solution and get letters out, take the extra step to fully understand the impacted population and address any special needs. For instance, Kroll had a client whose affected customers included individuals for whom Korean was their native language. Accordingly, not only were their notification letters written in Korean, but the call centers were also staffed with Korean translators.
4. Demonstrate empathy
Be careful to tailor your message for the unique characteristics or circumstances of the affected groups. This approach is especially critical if your organization serves individuals who are simultaneously dealing with grave personal challenges or losses, for example terminally ill patients and their families who might be affected by a hospice breach.
5. Provide relevant, useful services and guidance
Identity theft will be a valid concern for your customers, so be prepared with services that match their risks. For example, a recent client lost the credit card numbers, user names, and passwords of its customers. In addition to credit monitoring services, the client offered non-credit monitoring, which searched the dark web for instances where those numbers were being sold, an indicator that these consumers were in danger of someone using their information. In another case where a client lost Social Security numbers (SSNs) belonging to minors, Kroll’s licensed investigators consulted with parents to show them how to put a credit freeze on their children’s SSNs. Otherwise, illegal activity on the minor’s SSN could go undetected until the child turned 18, when he or she might apply for student loans or a credit card.
6. Create a consistent customer experience
Recently, one of our clients inadvertently disclosed personally identifiable patient information, including medical diagnosis data, medication records, and medical history. The incident was abhorrent to the CEO, who recognized that it ran counter to the organization’s core values. The client committed to train each Kroll call center, ensuring our team could express that cultural value to the individuals calling. Remember, the experience you provide during a breach can define how your customers feel about your organization for many years to come.
7. Anticipate competitors’ behavior
Competitors know that you are most vulnerable to losing customers in the aftermath of a data breach. Consider setting up teams to anticipate and monitor the promotional activities of your competitors at this time, and then create plans to preempt or counter them. Likewise, you may want to consider offering your own special promotions, such as free services, discounts, or coupons to encourage your customers to stay.
The process of rebuilding trust with customers after a data breach is a multifaceted, long-term endeavor. But don’t wait until an incident strikes to put these seven steps into action. Much of the work involved in each step can be accomplished in advance, putting you in a stronger position to weather the storm, and rapidly earn back your customers’ trust.
Learn more about fraud and risk statistics and trends -- as well as innovative risk management strategies and best practices -- in Kroll’s annual Global Fraud & Risk Report 2016/17