Home » news »

Data Breach Customer Relations: What NOT To Do


Data breaches have become an unfortunate fact of life. But just because data breaches happen every day doesn’t mean your own enterprise’s incident isn’t big news that should be handled with great care. During cyber incident response, one public relations misstep can multiply the damage significantly.

Here’s a look at some bad behaviors you’re going to want to avoid:

DON’T just do the bare minimum.

Some companies try to keep a data breach relatively quiet “Oftentimes, breach notifications are only done as a result of mandatory statutory reporting requirements and these requirements can vary widely depending on jurisdiction,” says Ryan R. Johnson, data privacy attorney and chief privacy officer at Savvas.

Johnson says that some US states’ data breach notification laws set very narrow reporting parameters such as mandatory notification triggered when specific types of personal data have been accessed “Simply put, it’s up to a company to make the determination on whether customers would be adversely affected And don’t forget: Some data breaches don’t include personal information at all. Breaches of intellectual property, for example, could impact entire supply chains.

DON’T downplay the potential damage.

It’s rare to know the full extent of the harm during or immediately after a data breach. But hopes often run high that the breach isn’t as bad as it seems. Don’t start off downplaying the damage in your initial disclosure to affected customers. If you do, you may face a worst situation later.

“The TJX management in the US would probably admit that their response to the [breach of 45.6 million credit card numbers] back in 2007 did not go well,” says JD Sherman, CEO of password manager Dashlane. “While they communicated on a timely basis, they underestimated the impact in their initial communications, making the news that the breach was much larger even harder to swallow.”

DON’T be a profiteer.

“One terrible way to handle a breach situation, is to not handle it at all,” warns Cassandra Morton, senior vice president of customer success and service delivery at NTT Application Security. “Even worse is to use the event as an opportunity to sell a series of new tools and services in an attempt to course correct the situation.”

Don’t dangle free services as a way to get out of the situation either. After its 2017 breach that exposed Social Security Numbers, birth dates, and addresses belonging to what amounted to more than 40% of the US population, they took their time disclosing that Equifax offered victims complimentary credit monitoring (provided, ironically, After a data breach, time is of the essence. If notification — to regulators, law enforcement, media outlets, and/or impacted customers — is mandated Sometimes law enforcement investigations will prohibit you from informing affected customers right away, but don’t unduly delay. More damage can result from the use or sale of that data elsewhere. If you delay warning your customers, third-party vendors, or others affected “The worst way to handle notification is not sending at all or exceptionally late. This approach will immediately raise a level of mistrust “There have been examples of notifications two years after the fact and only after an investigation revealed an omission of the exact details,” Tosto says.

“The other approach is to avoid is placing blame or giving false credit for sophisticated hacker methods. Statistics show breaches are common with unpatched vulnerabilities for six months or more,” Tosto adds.

When credit bureau Equifax discovered a breach in 2017 that exposed Social Security Numbers, birth dates, and addresses belonging to what amounted to more than 40% of the US population, they took their time disclosing it. They waited 40 days

However, if your company stays quiet about a data breach unless and until the news media gets wind of it and publicly announces, or if news breaks and you still take your time getting those notification letters out, you’ve likely created a public relations nightmare.

“The worst way to handle customer notification is for customers to hear about it in the news first, then get a notification — weeks, or even months later,” says Johnson.

The Golden Rule

Fortunately, all these bad moves can be circumvented “Customers often become angry with and lose trust in organizations that are not transparent, communicate no action or play a victim,” says Megan Paquin, APR, CPRC, leader of the firm’s crisis management team and vice president of Poston Communications, a PR and crisis communications firm. “They understand that criminals are behind these attacks, but they need to feel confident that businesses have their backs when it comes to their data privacy and security.”

What to Read Next:

  • 5 Cyber Resilience Lessons We Re-Learned in 2021 (But Will Probably Forget)
  • The Cost of a Ransomware Attack, Part 1: The Ransom
  • Part 2: Cost of a Ransomware Attack: Response and Recovery

Related Posts

  • No Related Posts