Disclosing data breaches on your own terms
Image credit: Unsplash
As each year passes, it appears as if the occurrence of serious data breaches is not losing any momentum. Despite the best efforts of today’s cybersecurity measures, organizations ranging from Capital One to DoorDash have still suffered massive data breaches in the last year.
A record 4 billion customer records have already been exposed as a result of data breaches in 2019 – and we still have over a month remaining for this year! While the sheer volume of customer records exposed as a result of modern breaches (large or small) can be concerning, there are plenty of rules and regulations in place to help protect customers.
As of this writing, all 50 states in the US, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have implemented legislation requiring private sector and government-run organizations to notify individuals when their personal information has been involved in data breach events. In fact, there’s a good chance that you’ve received such a notification yourself.
In our first article from our “Breach Notification” series entitled “You’re Breached! Encrypting Your Data in The New World of Compliance, Fines and Public Notifications” we raised a “did you know?” in regards to the fact that if your company is breached and the data stolen is encrypted and the attacker does not have access to unprotected encryption keys – then your company is not legally obligated to notify. This may bring a sigh of relief in some regards, but the fact is, if your organization has been breached, there’s still a way to go to ensure it doesn’t happen again. Not easily anyway.
We recommend that disclosing details associated with data breaches each and every time they occur should be best practice – not just when they are required to by law. It will work to improve customer trust rather than erode it. The point of difference is that if you’ve already taken the steps to ensure your customer information has been secured even if your network has been compromised, then how you notify your customers of the occurrence can be on your own terms.
This advice can seem counter-intuitive at first. What? If my customer data has been protected through advanced encryption techniques, why would we tell them we’ve been breached? Surely this will cause unwarranted stress and more work for us to manage the communications and backlash. We think that there are actually plenty of benefits associated with effectively disclosing a breach your firm experiences, including the following:
- Promoting transparency with your customer: The implications surrounding the disclosure of a data breach can be intimidating, but more often than not, customers will thank your organization for its transparency. After a breach has occurred, release internal and external communications describing the nature of the situation. If your team is open and sincere about the nature of the event and what measures have been put in place to create a stronger environment to mitigate future risk, customers will be more likely to continue trusting your brand.
- Avoiding those “Front-Page Headlines”: When it comes to data breaches, unexpected discourses yield the most damaging media coverage. For example, when news of the Capital One hack broke earlier this year, the very fact that it was unexpected generated the most negative media coverage. Customers were scrambling to find out whether their personal information had been compromised and what they needed to do when the news of the breach broke on July 19, however Capital One only issued their letters to affected customers weeks later in August. Crisis management and handling mandated disclosure in the event of a breach is an enormous challenge and highly resource intensive, but unfortunately, it’s becoming part and parcel of doing business. Disclosing a data breach on your terms rather than being forced through legislation to do so, may still attract some bad press, but the lasting effects will demonstrate your company is on the front foot in regard to keeping your customers and organization informed, and may end up fairing a lot better than not acting in a timely fashion or trying to play down the incident altogether.
- Combining accountability and information security: If approached tactfully, the disclosure of a data breach event can help promote an internal culture of accountability. In turn, this can help your organization tackle its responsibility for information security with renewed vigor. Over time, this can contribute to fewer data breaches, and thus increased levels of customer satisfaction, regardless of your organization’s product, service, or industry.
Disclosing a recent data breach is the last thing that any organization wants to do, but at the end of the day, it’s the right thing to do. Doing so will keep your firm on the right side of the law and your customers. Proactively disclosing data breaches whenever they occur makes good business sense, plain and simple – and wouldn’t you rather be in control of handling and communicating the situation on your own terms?