Recent data breaches against Panera Bread, Delta Airlines, Sears, Saks, and Lord & Taylor highlight a lot: the need for improved web application and internet security processes, better accountability, and why cybersecurity is critical to securing the loyalty of an organization’s most valued customers.
But perhaps most importantly, it highlights how an organization should react if they do suffer a data breach and the significance of a response plan. If there was ever an example of the importance of honesty and transparency, communicating effectively with consumers after your organization has been breached is a critical one.
Take Delta Airlines as an example. In April 2018, the company announced it was informed that some of its customer’s credit card information had been compromised during online chat support provided by a third party software company called 7.ai. In response, Delta launched a custom webpage providing a complete overview of the breach (including a timeline and FAQ section), executed a customer communication plan that included education and mitigation best practices, and worked with partners and law enforcement to identify how/when the breach occurred.
Delta’s handling of the breach underscores some of the key best practices that organizations should act upon once they identify a data breach has occurred.
- Communication is key to both internal (employees, partners, suppliers, etc.) and external (customers) audiences, including direct mailing to clients, an official media release/statement, and if necessary, interviews in the appropriate press
- Be open and sincere and admit what happened and accept responsibility
- Provide details and explain how the breach occurred
- Mitigate. Provide solutions for impacted users, and if possible, prepare a special offer for the affected audience
- Educate by providing best practices on how to prevent similar issues in the future
- Invite open dialogue by involving clients, industry experts, and even the general public
All too often, consumers discover that their personal information was compromised long after the breach occurred when suspicious activity on financial accounts, e-commerce sites, etc., is noticed. This is often the result of one of two reasons. The first is because an organization doesn’t realize its sensitive data has been breached. According to various sources, it can take a company nearly 200 days to realize there’s been a data breach.
The second and far too common reason is that organizations seeking to avoid the negative connotation of being a data breach victim avoid directly or immediately announcing that a breach has occurred. However, as research suggests, the consequences of such surreptitious communication tactics can be far worse than the direct impacts of a data breach.
According to the report Consumer Sentiments: Cybersecurity, Personal Data and The Impact on Customer Loyalty, the vast majority of consumers must be convinced that the security issue has been addressed and any damage has been rectified before continuing to do business with the brand.
The impact on businesses is twofold. Whereby companies were once reticent about speaking publically about cybersecurity because it would cause consumers to question their business’s fragility, organizations must now embrace and communicate their ability to safeguard customer data. Forward-thinking organizations have the opportunity to use security and due diligence as a competitive differentiator to build trust and loyalty with customers in the face of an increasingly insecure world.
Per the aforementioned points, companies must clearly communicate that a breach has occurred, those likely impacted and planned remediation actions to address the issue. Organizations that don’t admit to compromised consumer records until long after the breach took place to suffer the greatest wrath from consumers.
In addition to increased customer attrition rates and lost revenue, that wrath increasingly includes lawsuits. Forty-one percent of executives report that customers have taken legal action against their companies following a data breach. Given the string of high-profile data breaches in recent years, consumers are becoming increasingly empowered by regional government regulations that are forcing the hands of organizations to act accordingly following a data breach. The best example of this is the General Data Protection Regulation (GDPR) that went into effect throughout the European Union in May 2018. Broadly speaking, the GDPR provides individuals with a right to an effective judicial remedy and/or compensation and liability, especially if the holder of the PII has not acted accordingly to the regulations.
Ultimately, an organization’s ability to successfully respond to a data breach is linked to its ability to view cybersecurity, not as an afterthought, but rather a strategic initiative that mitigates business risk across all mission-critical departments within the organization, not just IT. When an organization is breached, it’s not just impacting the CIO. It affects the CFO, CMO and the COO, in addition to the CEO.
In an increasingly insecure world where customer loyalty to a particular brand is tied directly to that brand’s ability to safeguard the customer’s data, the entire C-suite must be held responsible when a breach occurs to reaffirm the trust and loyalty of consumers and to mitigate the broader, more cataclysmic impact that could result if they don’t.