If you have any questions about our resources or any topics related to Experian Data Breach Resolution, please contact us at firstname.lastname@example.org or call 1 866 751 1323.
As data breaches attract more publicity, lawmakers and consumers are likely to expect more from the entities that experience them.
Evidence of this trend can already be seen at the state level, by legislatures and attorneys general, many of whom are increasing requirements for reporting breaches. Federal agencies, such as the U.S. Department of Health and Human Services, also increased fines and penalties last year for healthcare organizations that violate the breach requirements under new HIPPA Omnibus Rule.
For national companies, adhering to breach notification laws is a complicated process. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted breach notification laws. All of the laws require entities to send notifications to consumers, but the timelines vary. Kentucky passed a breach notification law that takes effect January 1, 2015, leaving the only states that don’t currently have breach laws in place to Alabama, New Mexico and South Dakota.1 Some states also require organizations to report the breach to the state attorney general.
Congress is trying to rectify the inconsistent situation by passing a uniform, national breach law. But so far, it has been unable to reach a consensus. The Obama Administration has also pushed for a national breach law within other cyber security bills but that process has not been successful yet either.
Behind the lawmakers are consumers who are growing more adamant about what they expect after having their personal information compromised in a breach. In 2012, 58 percent of polled consumers believed they should receive identity theft protection after a breach. That number jumped to 63 percent in the same study conducted in 2014. This same study also found that 58 percent believe they’re entitled to credit-monitoring services and 67 percent say they should be compensated with cash, products or services from the breached entity.2
The bottom line is that organizations cannot treat a breach like a mere compliance issue. You can’t just check off items from a list and expect a full recovery. Sure you need to call forensic investigators, attorneys, law enforcement, breach resolution providers and PR consultants. But if you don’t take care of your customers, patients or employees, they might just switch to a competitor.
Here are some of the top requests from consumers following a breach:
1) Send Clear, Concise and Honest Notification Letters or Emails
Consumers want to know the truth about what happened, what is being done to improve security, and what risks they may face following a data breach.
2) Provide Identity Theft Protection with Credit Monitoring
People are afraid they may become victims of identity theft after a breach. One of the best ways to help alleviate their fears is to provide identity theft protection with credit monitoring - or at the very least – credit monitoring. These services typically alert consumers if something changes on their credit report so they can determine if it’s fraud and try to address the problem before it gets out of hand.
3) Keep an Open Line of Communication
If you don’t have enough customer service personnel, you may want to hire a call center for the first couple of weeks after a breach to answer questions from consumers. It’s advisable to have the call center open seven days per week and to have fraud resolution agents assist your consumers if they become victims of identity theft. Press conferences, press releases and up-to-date websites are also helpful.
So if you notify your consumers in a timely manner, tell them the truth and provide identity theft protection with credit monitoring, your brand’s reputation will likely stay intact. You’ll also be satisfying most of the requirements from state and federal regulators.
2 The Aftermath of a Mega Data Breach: Consumer Sentiment, Ponemon Institute, April 2014