No doubt you’ve heard of Equifax. The credit reporting company experienced one of the biggest data security breaches in history last summer when hackers exploited the company’s known security vulnerability and stole over 150 million customers’ information.
But Equifax is even more notorious for how they handled the crisis than the fact that it happened.
First, Equifax broke data breach notification laws by waiting a month to send a security breach notification and failing to disclose an earlier breach. Executives also sold off almost $2 million in company stock at the time of this second breach, leading the public to believe company leaders offloaded their shares before the their value tanked.
Equifax then built a new site for customers to check in on their data, which hackers quickly replicated. The company’s own social media team went on to tweet links to phishing sites, leading to more stolen data! Since then, Equifax has accidentally sent consumers affected by the breach the wrong notification letters and has given their former CEO Richard Smith a $1 million raise for his leadership.
This escalating series of missteps goes to show that data security breaches are treacherous ground for companies and customers. Beyond the breach itself, the mishandling of a data breach response plan can exponentially complicate a crisis.
As breaches increase in their scale, sophistication and frequency, it’s never been more important that your team takes a proactive approach to security infrastructure and — if necessary — to rebuilding customer loyalty after a data breach.
Create a data breach response plan
Just as in any crisis, you need a plan to minimize potential harm and prevent the same crisis from reoccurring in the future. A data breach response plan, or the process your company follows in the wake of a breach, requires company-wide accountability, the promise of transparency, and an overarching willingness to make things right.
When you tackle the response to an overwhelming customer service crisis like this, remember the “service recovery paradox”:
“Research shows that when a company recovers well after a significant service failure, it can benefit from higher customer satisfaction levels than before the crisis.”
Rebuilding trust requires that you go above and beyond — here’s how to start one step at a time.
Research data breach notification laws
If your company has been at the center of a data breach, it’s also subject to intricate, complex regulations that protect customers around the world. These security breach notification laws are becoming more rigorous as data breaches far exceed the rate that legislators expected. All 50 states, as well as the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, legislate data breaches. Other countries do, too, and their laws vary in severity.
As a business owner or leader, you need to understand the nuance of how the laws affect your data breach response plan. If you have customers across multiple states, you’re bound to comply with the laws of those states. For example, Pennsylvania filed a lawsuit against Uber for violating a data law protecting Pennsylvania residents. (At the time of this writing, there are no relevant regulations at the federal level, although a bill on data breaches was recently introduced in the Senate and there could be a national consensus soon.)
While you could try to untangle these laws on your own, your company would benefit from an attorney who understands the ins and outs of data breach notification laws and stays up on the latest changes in legislation. An expert can help you understand the granular elements of your responsibilities, especially if your company is based online and needs to adhere to multiple sets of regulations.
Assess the scale and source of the data security breach
A thorough assessment of the scale and source of a data security breach starts with a simple question: What data do hackers or inside leakers want and why? Audit the sensitive data your company keeps to understand how deep the breach could go. For example, maybe you keep addresses and credit card information of customers but never social security numbers. A simple rundown of the data can help you understand the severity of the breach for your community.
The same way that an expert can help you navigate security breach notification laws, a data security expert can also help you discover exactly what happened. Because hackers are becoming increasingly adept at breaking through security systems (and you weren’t able to prevent the breach on your own), you benefit from calling in the help of a consultant to complete a full post-mortem.
With the eyes of an expert, you can see any vulnerabilities that led to the breach and build a comprehensive data security plan from there. Be aware that you may need to completely redesign your security infrastructure to protect customers’ data. Other situations, like human mistakes, are just as important to pinpoint, because you can address them with education and training.
Security best practices are numerous, but they include two-factor authentication, tiered access to sensitive information, encryption programs, monitoring software, automated detection, employee education, and regular testing.
Consider your ethical obligations as a company
Security breach notification laws list the bare minimum requirements for honoring the rights of customers, but they don’t show you how to win back the trust of your community.
J.J. Thompson, CEO at Rook Security, told Forbes there’s a “magic seven-day window” to present customers with a clear assessment of what happened and how you’re going to fix it. Your company needs to act efficiently to meet that deadline — it’s an all-hands-on-deck scenario. Although a week may seem like a short time frame, it’s a long time for customers whose credit card or social security numbers were leaked.
How to draft a security breach notification
A “data breach notification” is a formal term for the email you send to let customers know that there’s been a security breach. This is when it’s really important to follow the letter of the law. But even when companies follow data breach notification laws with exacting detail, they often fall short in multiple ways. There are a few keys to getting a breach notification right, and the most important one is to treat your customers as humans first.
1. Empathize with your customers
A data breach can lead to an escalating series of disasters for customers, like identity theft and credit card fraud. When you write to customers, imagine how they’re feeling about this breach. Empathize with their sense of powerlessness and their sense of frustration that they have to take steps to prevent real-life consequences. After all, they didn’t make a mistake. Apologize sincerely and specifically for what unfolded and take complete responsibility for the breach.
2. Be transparent about what happened
These breach notifications are not a time to be vague. Describe what happened with transparency and without jargon. For example, you could say, “Last week, a hacker made it past our extensive security (including a firewall and two-factor authentication) and stole the credit card information for 1000 of our customers.”
Also include clear directions on how customers can check in on the status of their personal data. People who want to know more about what unfolded beyond a brief description also have the right to that information, too. Direct customers to more documentation that details the breach and the company’s response in depth.
3. Outline the ways you’re fixing the vulnerability
If you’re managing the data breach response plan well, your team will be working around the clock to fix any vulnerabilities and make it up to customers. In the notification email, describe the ways the company has created internal accountability and collaborated with external experts to drive actionable change.
4. Pay for an identity protection plan
Data breaches are particularly challenging because the damage is already done. One of the most difficult things about breaches is that there’s not much you can do to make customers’ lives better. Offering to pay for an identity protection plan is a small but meaningful way to reduce the fallout for each and every customer. Make it easy for people to take you up on it — this step shouldn’t be an extra hassle for them.
5. Give an incentive for loyalty
Loyal customers always deserve a “thank you” when they choose to stick with you through thick and thin. At the end of the email, be generous and offer customers a discount on their next purchase or for their monthly service. This small token can help tip the scales in building trust, reassuring customers that you are willing to take a revenue hit to make the experience better for them.
Data breach notification example
The following (real) example of a data breach notification email may follow data breach notification laws, but it doesn’t speak to readers — i.e., customers — as humans. Let’s explore how this letter could have made better use of empathy, clarity, and follow-through.
NOTICE OF DATA BREACH
To the MyFitnessPal Community:
We are writing to notify you about an issue that may involve your MyFitnessPal account information. We understand that you value your privacy and we take the protection of your information seriously.
On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.
This pivotal section is missing a serious “I’m sorry.” Always apologize because you have broken your customers’ trust. Their use of passive voice implies that the company has nothing to do with an “unauthorized party” acquiring data. Again, apologizing sets the record straight, creates accountability and cuts through the vagueness you see here.
What Information Was Involved?
The affected information included usernames, email addresses, and hashed passwords - the majority with the hashing function called bcrypt used to secure passwords.
It’s great that they list out what data got leaked during the breach, but they don’t answer the most important question: How does it affect customers? Why does it matter to them? Almost all of us aren’t data experts — we need help connecting the dots on what these breaches mean in real-life terms.
What We Are Doing
Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities.
We are taking steps to protect our community, including the following:
- We are notifying MyFitnessPal users to provide information on how they can protect their data.
- We will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately.
- We continue to monitor for suspicious activity and to coordinate with law enforcement authorities.
- We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.
The sentence “We are notifying MyFitnessPal users to provide information on how they can protect their data” could confuse a customer. Is this email the way they are notifying users about how to protect their data (in the section below), or is it through another upcoming email?
Additionally, the order of “detect and prevent” in the final bullet point isn’t ideal. Customers want to know that you’re preventing breaches first and foremost — switch the order of “detect” and “prevent” here.
What You Can Do
We take our obligation to safeguard your personal data very seriously and are alerting you about this issue so you can take steps to help protect your information. We recommend you:
- Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
- Avoid clicking on links or downloading attachments from suspicious emails.
For the “avoid clicking on links or downloading attachments from suspicious emails” recommendation, it would be helpful to include a hyperlink to a resource that helps people identify suspicious emails. Because the company made the mistake, it’s also their job to help educate customers.
For More Information
For more information, please go to https://content.mY.fitnesspal.com/security-information/FAQ.html.
The end of this email is missing three pivotal additions:
- A simple “thank you” to customers for valuing their product and using it every day.
- A “thank you” gift that transforms those words into something tangible that customers can benefit from.
- The promise of an update as the findings from the consultants emerge.
Note: Data breach notification laws differ from state to state and country to country — consult an attorney before drafting your own.
Empower your support team with the right information
Data security breaches are a mess for customers, but they’re also a nightmare for support teams. Customer support professionals can (understandably) expect a flurry of urgent requests from furious customers who want to understand how and why this happened.
Give your support team everything they need and more to help customers understand the situation. Create clear guidelines about what and how support should talk about the breach, and give them all the context they need to understand the importance of every dialogue.
Near-constant complaints of this magnitude can test the patience of even the most experienced support professionals. Offer ample breaks and extra recognition to the team for rebuilding customer loyalty after a data breach.
Continue the conversation with customers
Even the most thoughtful and effective security breach notification isn’t the end of a successful data breach response plan. One point of communication will never be enough with a customer support issue this huge.
If you want to woo customers back, you need to follow through on the dialogue you started. Keep your community up to date on new security measures and become an advocate for taking preventative steps in your industry — after all, you’re in the best position to help educate the public on a topic we just don’t talk about enough before it’s too late.