When a data breach occurs, laws and industry regulations, dictate when and if you need to notify consumers whose data might have been compromised. However, many consumers would also probably argue that you’re morally obligated, to notify them of data loss; they want you to tell them of the breach and to do so in a courteous, straightforward manner.
Because of this, notification letters are an integral piece of a firm’s breach response as these often are the first inkling consumers have that their information may have been compromised, and their identities might be at risk. It’s imperative those letters be efficient, effective – and perhaps most importantly – humane.
A 2014 study by the Ponemon Institute and Experian Data Breach Resolution indicates consumers feel there’s room for improvement in data breach notification letters. The survey polled people who had received a data breach notification letter. Sixty-seven percent of those surveyed said they want letters to better explain the risks and potential harms they may face as a result of the breach, 56 want the letter to disclose all the facts, and a third didn’t want the letter to “sugar-coat” the situation. A quarter wanted the letters to be more personal.
The Experian Data Breach Resolution team has vast experience with breach notification letters and data breach notification regulations. In our experience, here are the five most common and egregious errors to avoid when sending a data breach notification letter:
1. Keeping the consumer in the dark about the details.
Customers will want to know what information was compromised in the breach. Was it their Social Security number? A credit card number? Their home address? Consumers can’t protect themselves from further harm if they don’t know exactly what’s at risk. Don’t leave them guessing. Tell consumers exactly what information was compromised in the breach.
2. Speaking “legalese.”
Reverting to legalese – highly complex verbiage largely understandable only to lawyers – is a defense mechanism for companies, and it doesn’t really help the consumer. Twenty-three percent of those polled by Ponemon said the letter they received would have been better if it had less legal or technical language. Keep letters short, factual and simply worded so that the average Joe or Jane can understand them.
3. Leaving out the ramifications and risks.
It’s not enough to simply tell consumers they’ve been involved in a breach. It’s not even enough to tell them what information has been compromised. To truly empower them to protect themselves from further harm, you need to alert consumers to what those risks may be. Consider the type of data that was lost, then explain the risks that can be associated with that type of data loss.
4. Failing to offer an olive branch.
Whether the breach was your fault or not, consumers will hold you responsible and they will feel they should get some kind of compensation for all the grief the breach will cause them. Providing breached customers with an identity protection product not only helps protect them, but it shields your company’s reputation, too. In the Ponemon study, 67 percent of consumers said they felt companies should offer some form of compensation – whether cash, product or service – to consumers caught in a data breach. Sixty-three percent said the company should offer them free identity theft protection and 58 percent wanted free credit monitoring. Interestingly, 43 percent also said a sincere and personal apology might help convince them to keep their business with the breached organization..
5. Failing to seize the chance to rebuild trust.
There’s no question that a data breach undermines customer trust. Some customers will leave a breached company. Among polled customers who remained with the breached company, inertia seemed a major factor in their decision not to go elsewhere; 67 percent said they stayed simply because it was too difficult to find someone else to offer the same products or services. Less than half (45 percent) said they stayed because they were happy with how the company handled the data breach. Breach letters are actually an opportunity to begin rebuilding trust. Explain to consumers what you’re doing to reduce the risk of future breaches, and how you’re taking steps to help protect them from further harm.
Despite your best efforts, a data breach can occur. When it does, the data breach letter is your all-important point of first contact with affected consumers. Craft it well and the letter can be a valuable tool for mitigating reputation damage and rebuilding trust.