Survey Says Customers Come First in Breach Response

To date, more than 34 million records have been breached in 2016, according to the Identity Theft Resource Center. That’s approximately one in 10 Americans. And behind each one of these records is a person—a customer, patient, employee, or other individual whose identity has been compromised.

If you were one of these breach victims, you would hope that the organization responsible for safeguarding your sensitive information would put your needs first. In our newly released Customers Come First: Data Breach Response Survey, we discovered that companies are doing just that. In fact, based on survey demographics, the strong emphasis on customer service appears to be a general attitude among organizations of all sizes and in all industries.

The survey yielded other revealing insights:

• Take it to the top: 27 percent of respondents said a member of the C-suite in their organization determines the response to a breach. Other respondents indicated that privacy, information security, compliance, corporate/outside counsel, risk management, or the board of directors makes that determination.
• Information sharing is caring: Well over half of respondents cited a thoughtfully written notification letter as a top component of breach response.
• Outside experts: When it comes to outsourcing breach components, 64 percent would outsource forensics investigation, but only 14 percent would have external experts draft the notification letter.
• We aim to protect: Nearly 90 percent rated identity protection services as important. Most said these services should be offered for two or more years.
• Keep healthcare data healthy: 90 percent said medical identity protection was a vital component in breaches where PHI was compromised.

3 Ways to Put Customer Interest before Self-Interest

Customer-first is great in principle, but in practice it requires common sense, careful planning, and a realistic budget. These three steps can help:

1. Be honest with your customers. They want to know what happened, why, how, and—most importantly—what you’re going to do to protect their identity. In their Lessons For Security And Risk Pros From The Yahoo Breach, Forrester researchers criticized the Web portal’s response to the massive breach discovered in August 2016. Much of their criticism was aimed at Yahoo’s statement^[1], which, among other things, minimized the importance of its customers’ compromised data and revealed few details about the breach.
2. Have sufficient resources to provide customer service. Once news of a breach gets out, either through notification letters or the media, customers will need answers. An informational website with breach details and a link for enrolling in identity protection services is essential. In addition, you’ll need a call center with trained agents and a process for escalating issues. Often, an outside breach partner can help you pre-determine the volume of expected calls based on the type of data compromised, the number of affected customers, and the nature of the breach.
3. Match the identity protection to the type of data compromised. Credit monitoring, while useful in some cases, is not a panacea for all types of identity theft. I wrote about the mismatch of identity protection services in healthcare data breaches. Offering medical identity protection to customers with compromised healthcare information not only provides a better defense against identity theft, it enhances your organization’s reputation as a customer-first business.

Customers First Is Good Business Sense

Experts agree that the most important principle of a privacy or security breach response is to put the customer first. It’s the customers that have to repair their identities, the customers whose reputation, finances, and health are on the line. Providing the best possible customer protection in the face of a breach will also protect your business in the long run. If your customers feel that you’re putting your organization’s interests before their own, they’ll simply take their business elsewhere.

On the other hand, a well-executed breach response can be an opportunity to create what we call “delighted victims”—or at least satisfied ones.