Jon AbbottHow to inform your customers of a data breach
There is a good way and a bad way to handle a data breach.
This was just some of the massive public criticism endured by Uber following news that the leading ride-hailing app not only experienced a massive cyberattack that exposed the data of 57 million riders and drivers, but that the company’s former CEO Travis Kalanick had covered it up. The breach came to light an entire year after it happened, as a result of an investigation conducted by media company Bloomberg.
A hack on any scale is a PR nightmare. When customers trust you with their private information, they’re expecting it to be protected. A data breach is also a breach of trust, which can be extremely difficult to regain. But it’s not impossible.
Online genealogy platform MyHeritage was widely praised for how it addressed a 2018 hack in which cyber attackers exposed the emails and encrypted passwords of more than 92 million users. Similarly, Australia’s Red Cross was highly commended for its honesty following a data breach in 2016.
In summary, there is a good way and a bad way to handle a data breach. Here is how to do things the right way.
When to notify your customers of a breach
Before communicating any information about a cyberattack to your customers, it should be formally reported to the ICO within 72 hours. The clock starts ticking from the point at which you discover the breach. The sooner you get it reported, the better.
Once you’ve notified the ICO, you’ll need to make an assessment of whether or not you need to tell your customers. If the data stolen is no more than a name or is of no further risk to the customer, then there is no obligation to notify them. You do, however, have to record the incident.
If, according to the ICO, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” has occurred, you need to tell your customers. It’s unavoidable. So, how?
Making a formal announcement
If you need to let your customers know about a data breach, there should be a formal communication that goes out to the press – either in trade magazines or wider, depending on the severity and the size of your business. You should also reach out directly to the people affected.
When Marriott Hotels suffered a data breach affecting 500 million hotel guests in 2018, it released a public statement saying, “Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of a leading security expert.”
The hotel chain also sent out emails to people in their reservations database immediately following the breach, offering customers in the United States, United Kingdom, and Canada free access to a service that monitored sites where personal information is shared, and which will send an alert if it detects the customer’s details. The email also served as a first point of contact for anyone who was directly affected. This combination of the personal and the wider statement meant no-one was left in the dark about the breach, and everyone had clear actions on what they could do.
Even if the breach is less severe, and doesn’t require a report to the ICO, you may want to gather all the information first and later reach out to the individuals who may have been affected via post or email. Transparency can turn into a benefit if you can show the steps you’ve taken to beef up your cybersecurity.
Who should communicate a data breach to your customers?
Depending on the size and structure of your organisation, this will vary. Some companies will have a risk compliance department, while others may have a data protection officer or a GDPR email account.
In the Marriott incident, the company’s PR department spearheaded the breach communication efforts. A similar protocol was followed after a British Airways data breach where approximately 380,000 credit card payments were compromised.
Other companies might opt for the news to come straight from their CEO. Whoever you appoint, however, should be someone within the organisation with a certain level of calibre, and who understands the business and data protection.
Credit-rating and scoring business, Equifax. took months to alert customers of a 2017 data breach that compromised the private information of 143 million Americans. They were widely condemned for their terrible PR response – not to mention the fact that top
Equifax executives sold $1.8 million worth of company stock in the days after the breach. But the company faced even more backlash when its social media team, after confusing URLs, accidentally directed customers to a fake phishing site to learn more about the data breach.
Communication strategies need to be communicated internally to all staff, as well as to customers, to avoid calamitous customer service mistakes.
What customers will want to know
Most frequently, customers will want to know what has happened to their data, including what categories of information have been compromised and what they should do next e.g. change their passwords, set up a new profile, check their bank accounts for suspicious activity.
You should explain the full extent of the breach – the type of data, whether or not it contains any further information. For instance, if customer email addresses and usernames were revealed, they should be told the full extent of the breach. You shouldn’t hide anything from them, because they have a right to know.
Depending on the extent of your investigation, you might not know all the information immediately. However, once you’ve been able to ascertain all the details, then you should tell them.
Take Delta Airlines for example. In early 2018, the company announced that some of its customer credit card information had been compromised during online chat support provided by a third party software. In response, the company set up a dedicated webpage that provided a complete overview of the breach, including a timeline and FAQ section.
The key thing here is clarity and accessibility. Not all customers are well-versed in cybersecurity, so make sure information about the attack is clear and in plain English. Then make sure that information is both delivered directly, and also easily accessible on the website, too.
Be ethical, be transparent, be prepared
Unfortunately, data breaches happen. While they don’t always compromise your customers’ personal data, it’s important to have a plan for how you’ll deal with them, particularly when it comes to communicating these types of incidents to your customers.
While it’s important to be honest and thorough in your communication, it’s also important that you – and your employees know – how to best protect your customers and your organisation in the aftermath of a data breach.