In the chaos following a data breach, communication can be difficult. How can you offer clarity about a situation when you’re still trying to make sense of it yourself?
You can’t not talk to your customers. The longer you leave it to get in touch, the more time they have to hear rumours that could be inaccurate and won’t make you look good. TalkTalk were hugely criticised for not communicating with their customers until after the police were involved following the 2015 attack that saw 157,000 users’ data compromised.
The information customers need from you doesn’t have to be complicated. It needs to be direct and relevant, if you want them to trust you in the future.
When you communicate directly with customers whose private data has been affected, there are six key pieces of information they need you to cover.
What the incident was
Let your customers know how it was possible that someone was able to access their files. Provide an overview of what happened and only make claims that you are confident are accurate.
Don’t go into too much technical detail, or you could end up overwhelming people. Remember that the general public might only have a basic comprehension of cybersecurity. A lot of people get their understanding of digital threats that contemporary businesses face from film and TV.
Be brief, but be clear and informative, so they understand the situation.
How their data was involved
Go into more detail about what the breach means, specifically, for their personal data.
Let them know what type of information has been compromised.
If you don’t yet know the true extent of the damage, be honest with them about the gaps in your knowledge so far. Instead, offer some information about your investigation – what you expect to find and what it could mean for them – and, if possible, an estimate of when you’ll be able to provide an update.
How this will impact them
Knowing that someone else has your data is worrying. It’s difficult to gauge just how much damage a cybercriminal can do with your information and it’s easy to let your imagination run wild. In situations like this, it’s common for people to assume the worst.
Give your customers a realistic idea of the risks they have been exposed to in this breach. Are they more likely to have to worry about identity theft, or phishing emails?
Try not to scare anyone by convincing them that their identity is definitely going to get stolen. But offer a reasonable understanding of what it means that this data has been compromised and advice about how they could handle it.
What you’re doing now to minimise the damage
People want to believe that you are in control of situation. Reassure them that you are doing everything you can to prevent further damage to them or their privacy.
Let them know the immediate actions you have taken to contain the threat and prevent it from causing any more harm. Explain why you have made the decisions you’ve made and what you hope to achieve from each step you’re taking.
Be as clear as you can, without complicating the situation by getting overly technical.
What, if any, actions your customers need to take now
If people impacted by the breach need to be involved at all in the resolution process, explain their role thoroughly. Make sure they know exactly what they need to do to move forward quickly and safely.
Be clear about what must happen at their end – and what you’re going to do to help them achieve it. If they need to change their passwords, or monitor their credit, or apply for compensation, make it as easy as possible for them to do that with minimal hassle.
In failing this step following the breach that affected as many as 145 million users, Equifax has managed to confuse and alienate its customers. People who were originally told they would receive $125 in compensation might get only a few cents, or might not be eligible at all if they weren’t already paying for coverage. Both Equifax and the Federal Trade Commission have been accused of actively misleading consumers.
What you’ll do to ensure this doesn’t happen again
Refer back to your first point: what happened.
Be accountable for any mistakes at your end that made the breach possible. Explain how you are going to reinforce your organisation’s cybersecurity going forward to prevent breaches like this from reoccurring.
Let them know what you are doing to be a part of the solution when it comes to cybercrime
Too much technical detail may end up being more confusing than helpful. But make it clear that you have learned from this situation and are committed to preventing similar issues in future.