In-brief: While consumers might be resigned to having their data leaked or stolen, Michael Bruemmer, the Vice President of Experian’s Data Breach Resolution group, argues that companies have plenty to lose from a blasé response to breaches affecting their customers.
Are we tired of hearing about data breaches yet? This has, unfortunately, been the topic du jour as the pace of new data breach disclosures has hit a breakneck speed. While continuing to be top of mind for security professionals, there are conflicting theories about the effect that frequent data breaches have had on consumers and consumer behavior.
Some argue that the more consumers are confronted with security incidents, the more “fatigued” they become by such occurrences. These breach-fatigued consumers, the thinking goes, are less likely to proactively protect themselves or take action against the companies at fault for exposing their personal information.
I’m concerned about this proposition, as it may lead a company to be less concerned with the fallout and taking action to protect their affected customers.
The breach fatigue fallacy can cause companies, in the crisis that follows a breach, to make decisions about their response that could ultimately further harm their brand and reputation.
People absolutely care when their personal information is exposed and they will take action. A recent Experian online survey found that a majority of consumers in the United States who were notified of a data breach took steps to protect themselves in response. In fact, 72 percent of consumers who were impacted by a breach updated their anti-virus technology and nearly half reviewed online account activity or company security policies. They also took action aimed at the company at fault. Specifically, one in five consumers notified of a breach stopped doing business with the company that compromised their personal information.
So it’s better to err on the side of caution and respond as diligently as you would have had a breach never appeared on the American mainstream radar. The following are best practices to mitigate customer fall out after a major security incident.
Communicate Effectively with Customers
To avoid the potential loss of reputation and customer loyalty, companies must prioritize the concerns of their customers and have plans in place that ensure thoughtful communication.
Getting the response right in the heat of a data breach is easier said than done. The mega breaches that have played out publicly in recent months show that companies must have a well-practiced response plan and team in place before an incident occurs.
This plan should outline precise steps to take in the event of a breach, each team member’s responsibility and guidelines for notifying those affected. Notification letters should be timely, sincere and tailored to the customer based on the situation and the type of information exposed. Letters should include an apology and a clear explanation of what happened, why it happened, and easy-to-follow steps for consumers to protect themselves from fraud. This includes advice to check their credit reports and monitor exposed records to identify any suspicious activity.
Beyond the formal notification letter, companies should consider the other channels they can use to communicate with affected customers. For example, establishing a page on a company website dedicated to providing more details about an incident, as well as links to other protection resources, has proven to be a very effective engagement tool. Unlike a written letter, a site can be regularly updated as companies learn more information about the incident and it is an easy place for consumers to gain information.
Other methods of communication to consider for customers include a FAQ section on your company website and a call center. Call center providers can help answer your customers’ more detailed questions and concerns about a data breach, as well as provide assistance to customers enrolling in identity theft protection monitoring services. Providing this open line of communication can go a long way in retaining customer trust.
Provide Guidance and Resources for Protection
Companies should also consider offering services that help consumers further safeguard the information that was exposed by the data breach. Though laws and industry regulations vary on if and when an organization needs to notify victims following a breach, affected consumers also have the expectation that organizations will offer remedies such as credit monitoring and identity theft protection services.
In fact, 63 percent of consumers believe organizations should be obligated to provide identity theft protection in the event of a data breach. Providing fraud monitoring and identity protection services are important steps for organizations both in terms of compliance and maintaining consumer trust. Additionally, companies can also offer access to fraud resolution agents that can help consumers deal with possible complications should they become victims of identity theft after a breach.
Companies must continue to prioritize the concerns and needs of consumers following a data breach. Those affected by a breach deserve to be notified and presented with protection options. Be wary of the data breach fatigue myth, as it can lead businesses to believe otherwise and do the minimum required by law, versus what is required to maintain trust and credibility with its customers.
Michael Bruemmer is the Vice President with the Experian Data Breach Resolution group.