3 Steps to Effectively Plan and Be Ready for a Customer-Facing

Breach Response

BRAND STUDIO

A s cyber attackers become savvier, and

as companies do the work to be ready

to respond to a breach, one element must stay

top of mind: The customer. It’s one thing for

customers to have their data compromised —

that can be remedied. However, if a company

botches the breach response, it will be much

more difficult to restore customer trust and

rebuild its brand. Data breach responses that

deliver authentic and supportive customer

experiences help companies minimize damage,

expedite recovery and get back to business

faster.

According to a 2015 Security Week article,

“Organizations are committing considerable

time, talent and money to the task of preventing

breaches. The good news is that organizations

have successfully cleaned up many mistakes

that led to past breaches. The bad news is

that even with these efforts, attackers are

actually more successful, not less.”1

Companies are beginning to recognize that

having a comprehensive customer-facing

response strategy in place before a breach

occurs is imperative.

BRAND STUDIO

With so many moving parts during a data breach

and subsequent response, it can be difficult

to determine the best approach to rebuilding

customer trust. Here are three steps companies

can take to be ready to deliver the best possible

response that works not only for the company,

but for their customers as well.

2

1. Don’t Look Down, It’s Time to Scale Up

T he most effective data breach response

is planned and tested long before the

breach occurs. This requires careful planning

and consideration of what a company — and

its customers — might need, depending on the

particulars of the industry and the risk associated

with the type of data collected.

When a company is breached, the plan needs

to be put into action, and fast. Most companies

don’t have the capacity to handle the volume

of incoming customer calls or the special-

ized training to properly address their needs.

Securing a partner that can handle that piece

of a data breach response is key to putting the

customer-facing response into action.

“Companies need to make sure they’re working

with a partner that has enough capacity and

experience to help them respond quickly and

efficiently to a data incident,” says Jessica Smith,

Director of Incident Response for AllClear ID,

a company that specializes in data breach

preparation and response. When customers are

scared and upset, they want to talk to someone

who can help. Sending them to a third party

to answer their phone calls only to endure a

90-minute hold time cannot be the first part of a

data breach response a customer experiences.

“That’s the piece that they can touch and hold.

They see that happen and they don’t have any

reassurance at all that the company is doing the

right thing to protect them,” Smith adds. While

companies often focus on closing any loopholes

and patching the vulnerabilities that allowed the

breach to happen, shifting that focus to include

customers is imperative to recovery.

Breaches are unpredictable events and for

most companies, day-to-day business opera-

tions don’t stop during a crisis — so you’re now

juggling normal operations with the addition of

BRAND STUDIO3

Companies need to make sure they’re working with a partner that has enough capacity and experience to help them respond quickly and efficiently to a data incident.”

Jessica Smith, Director of Incident

Response for AllClear ID

“

BRAND STUDIO4

a large, visible, stressful new project. And most

companies will not succeed unless they have

help from experts to make it through. Planning

and securing capacity before a breach occurs

ensures enough dedicated employees are on

hand to guide customers through the recovery

process. This level of preparation empowers

companies to deliver superior customer service,

and more importantly, is the best chance for a

positive outcome.

Key Takeaway: Customers want the most

updated information when they need it, and

every minute they have to wait for it further

erodes trust. Make sure your customer-facing

response plan includes securing the capacity

required to respond to customers immediately

following the breach, and the resources to guide

customers through the recovery process.

2. Loud and Clear: Crafting the Right Message

W hen a data breach occurs, what a

company says to customers, the media

and regulators – and how it says it – is critical to

recovery. Clear, consistent communication can

go a long way toward rebuilding customer trust,

so it’s crucial that the response team is equipped

with the knowledge and skills to address

customers and the media to restore confidence.

Smith notes that launching a data breach

response is a lot like launching a new product,

albeit with a much shorter, unpredictable

timeline. While a company might take months, or

even years, to launch a new product, a breach

response happens much faster. But she also

says that doesn’t mean companies should be

hasty in their response — before a company

pushes communications out to customers

and media, they need to make sure that they

first have all of the facts of the breach straight.

“Contain the incident, know the facts and then

notify your customers,” Smith says.

In 2013, retail giant Target experienced a data

breach that left customers reeling — in large part

because the details on what information had

or had not been compromised kept changing.

That’s confusing to customers, and added stress

during an already stressful time. As many as 40

million shoppers had their information compro-

mised.² The retailer kept sharing information

with the public in an attempt to reassure its

customers, but the approach of sharing un-

confirmed information that changed frequently

eroded trust instead of building it.³

“After these types of incidents, customers want to

know what happened, they want to know what

the company is doing to fix it, and they want to

know how the company is going to help them

BRAND STUDIO5

if they need it,” Smith says. That’s a big part of

the reason why clear, consistent communica-

tion across all platforms — press releases, the

company website, employees at the call centers,

letters to individuals — is so important when a

breach occurs. While it may be tempting for a

business to release all the information they have

as soon as possible, it’s best to confirm all facts

before releasing them publicly. This strategy

helps rebuild trust by providing a clear, consis-

tent message that does not change from one

day to the next.

In addition to words, a company’s actions are

just as important during a breach response.

Providing customers with easy access to the

protections they need most is a simple way they

can show they understand their customers and

are ready to help.

If a consumer suspects fraud, for example, Smith

says, “they want to be able to call us at any

time and our investigators will help them. They

don’t want to have to enroll in a product, and go

through a lot of work to get the protection they

immediately need.”

Key Takeaway: Building a cohesive communi-

cation plan in advance of a breach is necessary

to remain on message and reassure customers

when a breach occurs. What, when and how

your company communicates to customers, the

media and regulators after a breach goes a long

way toward rebuilding trust.

BRAND STUDIO6

“Contain the incident, know the facts and then notify your customers.”

Jessica Smith, Director of Incident Response for AllClear ID

3. Putting Appropriate Protections in Place

N o two data breaches are the same, but

after any breach, many customers have

the same feeling — they want to know that if they

are harmed because of the breach, someone will

help them resolve the problem.

Customers are a company’s biggest asset — so

you need to treat them as such in the event

of a data breach. Offering appropriate identity

protections to customers after a breach not only

reassures them that the company is on top of

things, but also helps minimize any potential

damage that may result from the breach.

Determining which protections are most appro-

priate to offer is an exercise that can be done

before a breach occurs, but they must remain

flexible. It boils down to what kind of data was

lost or compromised. If, for example, Social

Security numbers are compromised in a breach,

then offering credit monitoring is appropriate.

That was the case in 2015 when a large health

insurance company experienced a widespread

data breach that compromised Social Security

numbers and health records. Credit monitoring,

in that instance says Smith of AllClear ID, was

one of the appropriate offerings for customers.

If, however, it’s a point-of-sale breach where

credit card information only was stolen, credit

monitoring isn’t always necessary or appropriate

based on the risk of the data lost.

“A lot of time, companies don’t have the names

and addresses to notify anyone if it is just the

BRAND STUDIO7

credit card number that is exposed,” Smith

explains. In these cases, an alternative to

credit monitoring would be more appropriate,

depending on what a company has to offer.

While it is virtually impossible to know what type

of data breach will occur before it happens,

companies should prepare by analyzing the

different types of data they collect and store to

determine what would be the best customer

offering in light of a breach.

Not all companies collect sensitive data on their

customers — nor should they, if it’s not needed

— which can change their customer-facing

breach response and subsequent protection

offerings. Doing a data assessment is critical,

Smith says, so a company can understand what

its worst case scenario would be, and work on

their customer-facing response plan from that

starting point.

And then, test the plan. Do a mock data breach,

if the capabilities are available, and have round-

table discussions to get input from others in the

company. Making sure you have everything

accounted for when responding to customers in

a short period of time is imperative, Smith says.

It’s time well-spent on the front end, before a

breach occurs, rather than after one when your

business is in crisis mode.

Key Takeaway: Offering appropriate protections

that put customers first is a critical step in rebuild-

ing trust. Analyzing risks and remedies associat-

ed with an organization’s particular type of data

and testing the plan help mitigate the negative

effects on customers.

“Doing a data assessment is critical so a company can understand what its worst case scenario would be, and work on their customer-facing response plan from that starting point.”

Jessica Smith, Director of Incident Response

for AllClear ID

BRAND STUDIO8

I n the past two years, the average cost of a

data breach to an organization has jumped

23 percent, to $3.79 million.⁴ While breaches,

unfortunately, are seemingly ubiquitous these

days, companies can take real, proven steps in

advance of a breach to be ready to respond to

customers successfully if an incident is discov-

ered.

Acknowledging that a breach could occur,

and establishing a response plan ahead of

time can mitigate the damage a breach may

cause. Even the most robust incident response

plans, however, often fail to address one of

the most critical aspects of a breach response:

the customer-facing response. Ensuring that

any data breach response starts and ends with

the customer at the center of the plan goes a

long way to restoring confidence and retaining

customers.

Conclusion

BRAND STUDIO9

AllClear ID is the leader in customer security, providing data breach response

services to businesses that aim to protect their greatest asset: customers. As

an industry leader and trusted partner with more than 10 years of specialized

experience in data breach response, AllClear ID has helped thousands of

businesses prepare for, respond to, and recover from data breaches, including

successfully managing three of the four largest and most complex breach

responses in history. The award-winning AllClear ID team is recognized for its

expertise, customer service, and innovative solutions.

Learn More

1. http://www.securityweek.com/data-breaches-numbers

2. http://money.cnn.com/2013/12/18/news/companies/target-credit-card/

3. http://www.bloomberg.com/news/articles/2014-03-13/target-missed- warnings-in-epic-hack-of-credit-card-data

4. https://securityintelligence.com/cost-of-a-data-breach-2015/

Sources