How to Inform Your Customers of a Data Breach

Data breaches are a fairly regular occurrence these days. Celebrities, billion-dollar corporations, and even governments are targeted by malicious hackers for various cybercrimes. Data breaches that result in the theft of information are often among the most damaging of cybercrimes and are as real a threat as any faced by companies and firms.

A majority of companies that have been ransacked due to a data breach are at a critical juncture when they realize they are the victims of an attack. More often than not, data breach management isn’t prioritized, not until it’s too late. Critical juncture time. It’s at this time where more mistakes are made. Crucially, mistakes are even made when telling one’s customers about a data breach wherein the customer’s data is stolen and in the hands of criminals. Press releases often do a poor job of communicating the extent of the damage done and certainly doesn’t do enough to reassure customers.

With a few vital guidelines, it is possible to clearly communicate and inform your customers of a data breach.

Make sure they hear it from you first

Ensure that you are the one telling your customers that their data has been stolen. While this is a bitter pill to swallow, it is entirely essential. Have the necessary resources and the manpower to know where the stolen data has landed up by employing and/or using the services of a capable and efficient data breach response team.

Gather all the necessary facts when you suspect foul play with a data breach before communicating the facts to your customers. Keep them in the loop and let them know what you know. This ensures that your customers still trust your company even if they are disappointed with such incidents. They need to hear it from you first.

Headlines are often made when noted security journalist and cybersecurity researcher Brian Krebs reveals a data breach. As a security researcher and journalist, he is always at the top of his game when breaking stories about data breaches suffered by companies. More often than not, Krebs contacts and informs the targeted organization to inform them of the cyberattack if they aren’t aware of it already. Security researchers such as Krebs and white-hat hackers have a crucial role to play in reinforcing cyber defenses and bringing light to vulnerabilities that can be targeted by malicious hackers.

If a security researcher or a journalist puts up the information before you get the chance to do so, do the next best thing. React. Quickly. Acknowledge news reports if you need to. Embracing silence is quite possibly the worst thing you can do while news of a breach spreads, bringing with it panic and rumors that only leads to more chaos.

Skip the template. Tell it straight

Scanning through press releases, statements and announcements made by organizations suffering a breach, there’s a common theme among them all. The following phrases are fairly common in an annoyingly significant proportion of company statements following a breach.

  • “In figuring among a growing list of companies, we have suffered a data breach.”
  • “We have been the victim of a systematic and sophisticated cyber-attack.”
  • “Cybersecurity has always been our number one concern.”
  • “We are currently notifying our customers and urge caution.”

Security experts, researchers, analysts, cryptographers and even malicious hackers know that a totally secure system cannot be designed nor achieved. Quite simply, there is no system in the world which is 100% secure. Even the most advanced cybersecurity measures fall prey to breaches. Trade secrets and critical information are always under threat, even among organizations that are well prepared for a cyber-attack and a breach. Cyber-threats may not be inevitable, but they aren’t completely unavoidable.

Companies that value customer data and information privacy above all else are also vulnerable to data breaches. Unlikely as it may seem, their claims of prioritizing cybersecurity above all else can be true, making them unfortunate targets and subsequent victims of a hack.

The unfortunate truth for companies is that customers care little for such priorities after a breach. They are seeking reassurances. They’re looking for information about the breached data and want to know what the company is doing to safeguard their data after the breach.

Tell it straight. Put yourself in their shoes and let them know exactly what they want to hear.

Do not employ silence. Don’t hide your mistakes. Embrace transparency

Organizations are often caught between a rock and a hard place after a breach. It’s that critical juncture, again. The decision makers are caught in between saving the company’s pride by putting self-preservation above all else and being entirely forthcoming and clear about a data breach while not shying away from the matter.

Companies’ announcements and press releases are often pinned to a remote corner on their own website. This is usually done to hide their embarrassment and minimize the inevitable backlash and criticism coming their way.  Avoid this.

A clear, prominent banner on the home-page is what you’ll need to put up. This will let your customers know that you are facing and dealing with the outcome of a data breach. You’re owning up to it and that’s exactly what customers need to see at the critical, chaotic and oftentimes confusing aftermath of a data breach.

Gain from the experience and be prepared for the next time

Wounded pride aside, companies that survive a damaging data breach ought to well-prepared for any further attacks in the future. Data breach response management that comes as a part of a disaster recovery plan to lead into a business continuity plan can make or break your company in the immediate aftermath of a data breach.

Adhering and being a part of the ISO 22301 certification, the business continuity standard globally is an excellent and efficient way to prepare your organization for data breaches. Setting aside conventional recovery management plans, the ISO 22301 standard amalgamates with the organization and familiarizes itself with important management standards such as ISO 27001 which is essentially the information security management standard.

The coming together of both such standards will help bolster the cyber defenses of your organization.