After a Breach, Be Prepared to Communicate, Communicate, Communicate

I recently wrote about how companies communicate with their customers during and after cyber attacks. Many organizations that suffer a data breach do a poor job of communicating about the incident, leaving people unaware of the level of vulnerability of their personal information.

After a Breach, Be Prepared to Communicate, Communicate, Communicate

In just the past week, we received reports of two significant data breaches: Barnes and Noble and the South Carolina Department of Revenue. I commend both organizations for quickly acknowledging their breaches and explaining to the public what they currently know of their breach; what they have done to mitigate the issue; who is mostly likely to be affected by having their personal information compromised; and what these people who might be affected should do. The state of South Carolina has gone one step further by announcing it will pay for an identity protection service provided by Experian.

Read the organizations’ press releases:

It’s refreshing to these two high profile organizations be forthright with details about a data breach. For each of them, their press release was a good first step in terms of communicating to the public. As investigators do their jobs and more is learned about how the attacks happened and who is affected, it will be interesting to see if Barnes and Noble and the state of South Carolina both continue to provide details to the public. And, I’m waiting to see if Barnes and Noble steps up and offers credit monitoring support to its customers who are potential victims of this crime.

Data breaches, large and small, happen every day. Regardless of the reason for the breach, it’s important (and legally required) that organizations notify people who could potentially be affected.

In case Barnes and Noble, or the state of South Carolina, or any other organization that suffers any type of data breach, doesn’t know what additional steps to take in terms of communicating about the incident, the Online Trust Alliance includes a section on that very topic in its 2012 Data Protection and Breach Readiness Guide.

The OTA advises the following:

Communicate & Draft Appropriate Responses

Spokesperson(s) need to be prepared to respond to media inquiries. The plan should anticipate the need to provide access to services and information to help impacted individuals. In addition to email, written correspondence, and web site postings, companies should monitor the use of social networking sites such as Facebook, Twitter and blogs to track consumer sentiment. Companies may consider using social networking sites for controlled, scripted and moderated postings, but need to be prepared for the debate or dialog, which may follow.

The communications component of the DIP [Data Incident Plan] should have a set of pre-approved web pages and templates staged, phone scripts prepared and frequently asked questions (FAQ’s) drafted and ready for posting. Staff needs to anticipate call volumes and steps to minimize hold times and to consider the need for multi-lingual support.

In the possibility of a phishing exploit to be the cause or contribute to the incident, it is suggested organizations create a phishing warning page and FAQ in advance and to post and replace the deceptive site as a teachable moment for end users.

Most organizations realize too late or in the heat of the incident that there are subsets of the population that require specific communication. It may be appropriate to consider separate messages and methods of delivery for the company’s most important relationships, such as its highest-value customers or most senior employees, or for categories of individuals that may be particularly sensitive, such as the elderly, the disabled and minors. Remember to consider all applicable laws before determining how to notify. Tailoring communications by geographic region and the unique characteristics of the population, including ethnicity and age of the audience, may be appropriate.

Key questions to include in external communications:

  • Incident description including what, how and when, (the more facts the better).
  • What type of data was lost or compromised?
  • Who was impacted including estimate of the number and type of customers?
  • What action is the business offering to assist affected persons or organizations?
  • What steps are being put in place to help assure it will not happen again?
  • What are you doing to help ensure your customers are not a victim of identity theft?
  • Where will your customers go for information? (Contact info and toll free number)?
  • How the organization keeps customers informed and what are the next steps (critical in the early stages when all of the information may not be known)?

New federal and state laws prohibit organizations from hiding data breaches under the rug (like they used to do). Communicating the details in an open, forthright and expedient manner is the right thing to do. So is owning up to the responsibility of helping people who have potentially had their information exposed. It’s the only way to restore the trust that was lost when the data went out the door.