CSO has an excellent article on how to limit damage during a data breach. Included are these excellent steps:
- Create a response plan or review your current one. Have a thought-out and actionable plan in place so your post-breach response can be as effective as possible. This is not time to play Russian roulette with the 31 percent of your customer base who is ready to walk away. For generations, the Boy Scouts have said it best with their motto: Be Prepared.
- Deliver timely and forthright notification. Large delays in notification signal to your customers that you are hiding something and/or they are not important to you, despite some realities that it takes time to assess the impact of a breach. Although it may not be possible to notify customers within a week, or even several weeks following a breach, your goal should be to notify them as soon as possible, with what reasonable information you can divulge at that time.
- Provide complete and believable information. For many of your customers, a breach itself will be enough reason for them to walk. But for others, the quality of information you provide will be the key determinate in their decision to stay. Within your notification, be sure to provide your customers with clear and concise information about the breach, including specific details on how the breach will affect them. Is their personal information in the hands of identity thieves? Do they have to close their credit card accounts?
- Develop your messaging, then rethink it. And rethink it again. Many respondents in the Ponemon study found communications to be unbelievable or misleading, failing to reduce their fears about potential harms they faced because of a breach. Even if you are being factual, think of how you are stating those facts. Notification letters and public communication about the breach are crucial in determining customers’ reactions, and you must carefully teeter the fine line in your communications between being firm yet friendly, and concerned yet in control and taking responsibility.
- Act as an educator. Although you are the barer of bad news, you also have the opportunity to be the barer of solutions. Lay out for your customers the next steps they can or need to take after they are notified. Include information, phone numbers and Web sites on freezing credit files, getting free credit reports and other tips customers might want to know and follow. At little or no cost to your organization, acting as an educator will not only help your customers recover from the incident, but maintain your organization as a trusted source.
- Consider offering free or subsidized identity protection services. Offering identity protection services has proven to have a positive effect on customer retention, and in many cases, offering such services is more affordable than new customer acquisition strategies. Individuals who receive free or subsidized services, such as credit monitoring, identity theft insurance or identity recovery services, feel less concerned and worried about the breach after it happens. Similarly, customers who receive these services are also less likely to terminate, or consider terminating, their relationship with your company.
Hopefully – companies will take note……..