“Thirty-one percent of customers—nearly one-third of a company’s client base and revenue source—are terminating their relationship with organizations following a data breach, according to a recent study by the Ponemon Institute.”
Rick Kam, president of ID Experts provides guidance in a recently published article in CSO Magazine titled “How to Minimize the Impact of a Data Breach” on best practices that should be adopted by companies and organizations that hold personal data on their customers, employees and suppliers.
Mr. Kam lays out seven key strategies for a successful data breach response.
- Create a response plan or review your current one. Have a thought-out and actionable plan in place so your post-breach response can be as effective as possible. This is not time to play Russian roulette with the 31 percent of your customer base who is ready to walk away. For generations, the Boy Scouts have said it best with their motto: Be Prepared.
- Deliver timely and forthright notification. Large delays in notification signal to your customers that you are hiding something and/or they are not important to you, despite some realities that it takes time to assess the impact of a breach. Although it may not be possible to notify customers within a week, or even several weeks following a breach, your goal should be to notify them as soon as possible, with what reasonable information you can divulge at that time.
- Provide complete and believable information. For many of your customers, a breach itself will be enough reason for them to walk. But for others, the quality of information you provide will be the key determinate in their decision to stay. Within your notification, be sure to provide your customers with clear and concise information about the breach, including specific details on how the breach will affect them. Is their personal information in the hands of identity thieves? Do they have to close their credit card accounts?
- Develop your messaging, then rethink it. And rethink it again. Many respondents in the Ponemon study found communications to be unbelievable or misleading, failing to reduce their fears about potential harms they faced because of a breach. Even if you are being factual, think of how you are stating those facts. Notification letters and public communication about the breach are crucial in determining customers’ reactions, and you must carefully teeter the fine line in your communications between being firm yet friendly, and concerned yet in control and taking responsibility.
- Act as an educator. Although you are the barer of bad news, you also have the opportunity to be the barer of solutions. Lay out for your customers the â¬Snext stepsâ¬ they can or need to take after they are notified. Include information, phone numbers and Web sites on freezing credit files, getting free credit reports and other tips customers might want to know and follow. At little or no cost to your organization, acting as an educator will not only help your customers recover from the incident, but maintain your organization as a trusted source.
- Consider offering free or subsidized identity protection services. Offering identity protection services has proven to have a positive effect on customer retention, and in many cases, offering such services is more affordable than new customer acquisition strategies. Individuals who receive free or subsidized services, such as credit monitoring, identity theft insurance or identity recovery services, feel less concerned and worried about the breach after it happens. Similarly, customers who receive these services are also less likely to terminate, or consider terminating, their relationship with your company.
It is surprising how few companies, even those in the Fortune 500, have well crafted data breach response plans that cover the all of the line functions that are essential to an effective response. These will typically include the IT and security teams, but also privacy, legal, marketing, financial, product management and customer support. Lack of a complete and integrated response to a data breach event can and does cost companies significantly in terms of lost customers and the tarnishing of their brand.