A data breach can increase a consumer’s risk of falling victim to identity theft. In order to mitigate this risk, federal and state governments have instituted regulations regarding the notification of affected consumers. But many consumers – inundated by news of mega breaches – may experience data breach fatigue, and do little or nothing at all when they receive that all-important notification letter.
In fact, we know from a 2014 Ponemon Institute study that more than a third of consumers who reported receiving breach notification letters also said they ignored the letters, taking no steps at all to prevent fraud. Ironically, however, they also expressed dissatisfaction with communications from the breached company, including the notification letters. Where are companies going wrong?
Too many organizations approach data breach notification as a regulatory compliance move (which it is) that they have to make, rather than regarding it as something that can also help their company recover more quickly from the reputational damages associated with a data breach.
Keeping customers informed after a data breach should be about more than meeting the letter of the law. Your communications should also focus on rebuilding consumer confidence in your brand. The consumers caught up in a data breach aren’t just one more technical detail you have to manage in order to achieve compliance; they are people who used to trust your company with their business. If you want them to continue trusting you, it’s imperative you give them a compelling reason to do so.
What constitutes good post-breach communication? It’s more than just sending out a notification letter when the law requires you to do so.
Writing in Forbes, reputation strategist Davia Temin suggests that companies should be the ones to break the news to their customers about a cyber incident. Fail to notify affected consumers right away, and the media will do it for you, she points out. We would build on that advice and remind you that being the bearer of breach news means that perfecting your initial data breach notification letter is essential – and it’s an opportunity to set the most positive, communicative tone possible going forward.
Your breach notification should be as detailed and accurate as possible, telling consumers what happened, how it could (and does) affect them, what you’re doing to repair the problem and how you plan to ensure it doesn’t recur. In the initial data breach notification letter, consider offering consumers identity protection services, such as credit monitoring and ongoing fraud resolution support.
To be most effective, your communications must not end with the notification letter. At some point in your data breach investigation, new information may emerge that’s relevant to affected consumers. Even if regulations don’t require you to do so, sending a follow-up letter with this new information may further reassure consumers that you’re still thinking of them – and working to protect them from any potential negative impact of the breach. It’s also essential that your call center can handle more detailed consumer concerns, and that your website can answer FAQs regarding the breach.
Maintaining regulatory compliance can help you avoid fines, but going the extra mile to embrace your breach population may help you avoid an even costlier consequence of a data breach – the loss of consumers’ trust and their business.