Wed, Mar 26, 2014

The importance of consumer focus in a data breach response plan

Consumer focus is increasingly important when responding to data breaches

In a world where cyber security and data compromise are part of the everyday vernacular, consumers are becoming more and more vocal about what an appropriate response plan is when their data is lost or exposed. People refuse to suffer for an organization’s inability to keep their data private and safe. Yet, even in the face of growing consumer expectations, organizations continue to hold their ground defaulting to methods like offering free credit reports that may no longer meet the varying needs presented.

As California Attorney General Kamala D. Harris noted in her Data Breach Report 2012, “A thief can use the [Social Security] number, along with the victim’s name and other easily obtainable information, to do a number of things, including opening new accounts, taking out loans, receiving medical services, even providing the information when arrested or prosecuted for a crime.” Or consider that the Federal Trade Commission held a Tax Identity Theft Awareness Week this past January to raise awareness on this growing problem.

The fact is that very few cases of identity theft as few as 2 in 10 can be detected on a credit report.1 Organizations may need to rethink what their response should be to affected consumers or be prepared for long-term repercussions that will be costly to overcome.

For example, companies that are not mindful about how they support affected consumers often suffer customer churn tied to the data breach. In particular, healthcare and financial services institutions are more susceptible to losing customers in the event of a data breach.2 When employee information is compromised, organizations may also experience staff turnover when disgruntled employees, dissatisfied with their employer’s response, leave and take to social media to voice their complaints.

It’s understandable that at the first sign of data loss, an organization’s primary focus will be on itself: shutting down an attack or determining exactly what happened, possibly calling in law enforcement, and working with legal counsel to address regulatory requirements. However, the organization needs to make supporting those affected be they customers, patients, students, or employees a priority as well. When the investigation first begins, it should:

  1. Take the time to discover exactly what happened, how, who was impacted and what was exposed. The point of the investigation is to provide clear facts so that business leadership and their counsel can make informed decisions instead of business mistakes. The results become the baseline for everything an organization does moving forward related to the event.
  2. Determine the real risk of the data that was compromised and marry the consumer remedy to the threat. Misjudging the severity level of a breach can be costly. Understanding the real risk allows the organization to conserve and focus resources while putting in place a remedy that actually protects the impacted individuals.


An organization can’t control when and why a data breach happens, but it can control how it responds. And ultimately, at some point after the event, the organization will have to account for its decisions both to the public and stakeholders as well as to regulators and possibly to litigants.

Offering meaningful help to those affected based on data-driven decisions is a positive, proactive step any organization can take to demonstrate its ongoing commitment to consumers and to making things right, while safeguarding the organization’s reputation and perception in the court of public opinion.


1 Ponemon Institute. 2010 Annual Study: U.S. Cost of a Data Breach. March 2011.
2 Ponemon 2013 “Cost of A Data Breach”


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.