Teaser:
An integral, but often overlooked, part of any corporate data security plan is caring for customers after an incident.
Data breaches are becoming increasingly common, according to many reports. While companies should strive to minimize their exposure, they should also have plans for dealing with incidents when they do occur. Organizations could especially benefit from planning how they will resume operations and how they will handle the process of notifying their customers.
If a network breach occurs “late on a Friday, you want to be operational in hours, not days,” said Chris Shenefelt, an executive vice president at Intersections Inc., which helps companies manage the resolution process. Shenefelt spoke at a recent panel on data breaches at a conference sponsored by the Online Trust Alliance.
The first step in planning is to identify who in the company will be responsible for various aspects of breach response, including legal issues, IT, and public relations, agreed panelists.
Companies should also reach out to third-party providers of breach-resolution services before a breach occurs. For example, management should identify one or more credit monitoring or fraud prevention providers that the company wants to work with to offer assistance to customers in the event of a breach, said Shenefelt. Companies should, at a minimum, offer credit reports from all three major reporting agencies as well as at least a year of credit monitoring, he said. Customers should have at least 90 days to enroll in the program.
In most cases, organizations should also offer credit scores and identity theft insurance, he said. Scores do not necessarily help prevent fraud. Insurance, in Shenefelt’s experience, rarely results in generous compensation for incidents. But companies should consider such offerings because “customers really like them.”
Many companies choose data breach services and products based mainly on overall price, said Anne Wallace, president of the nonprofit Identity Theft Assistance Corporation. But organizations could also benefit from having more expensive offerings available for high-net-worth clients or as a public-relations gesture for all customers. The choice will depend on the company’s overall customer-service approach.
Intersections has provided customers with up to 20 years of monitoring, said Shenefelt.
Strong communication is also important in the resolution process, say many experts. Many vendors and other sources offer templates for notification letters, a significant communications component.
Companies should choose their letters before a breach, said Shenefelt, having them “90 percent complete” with only breach details to enter. The letter will inform the customer about the breach and about whatever resolution services the company is providing in response.
Letters should describe at least one product offered to consumers, Shenefelt said. They should also clearly state the kind of information, including personal data, customers may need to provide to enroll, he said. The latter can make the process more seamless, he said, and prevent potentially awkward situations in which customers find themselves unexpectedly asked to provide data that may have just been mishandled.
Companies should also provide customers with an option for assistance via telephone, said some panelists. Call center representatives should be easy to reach, and they should be trained specifically in how to respond to breach inquiries. The company may want to provide call center operators with scripts, but it should also make sure that the operators understand the importance of being sensitive to the customer’s anxiety over the risk they now face.
Though just a small fraction of affected individuals will actually suffer from fraud, this “doesn’t carry a whole lot of weight,” said Wallace. “Many people affected by a breach assume [identity theft] is going to happen to them.”
Educating the consumer helps. Consumers calling Intersections are almost always first directed to a customer education department; only a small portion are later sent on to fraud specialists, said Shenefelt. Customers are often unsure whether actual fraud has occurred, and representatives may need to walk consumers through parts of a credit report to try to pinpoint actual fraud incidents.
Customers will typically leave a company if any fraud has occurred. But protecting customers from fraud can significantly help with customer retention, says Robert Vamosi, a risk and fraud analyst at Javelin Research. Vamosi, who was not on the panel, has published research on breach resolutions.
In addition to helping with customer retention, having a flexible and strong response plan can help prevent potential legal difficulties, according to Christopher Wolf, a partner in the privacy and information management practice at law firm Hogan Lovells.
Companies should test their breach response processes and enrollments, said a few panelists, to identify problems and to ensure that customers are provided with a good experience if an event occurs. “It is important for companies to think this day will come and treat it like a fire drill or an earthquake drill and do a simulation,” says Vamosi.
By preparing a strong, flexible response plan, companies can help minimize some of the worst breach risks. They can even, in some ways, provide affected consumers with a good customer experience, says Vamosi, especially “if they say and do the right thing...which [often] means being responsive and not trying to sweep it under the carpet.”
Powered by: Phase2 Technology
Comments
I could not agree more with the "pro-active" stance of this
Debix also gets the Friday afternoon and my hair is on fire calls from folks who are facing a breach and one thing that accelerates the response, controls the costs, and improves the accuracy and end consumer acceptance of the breach response and remediation is a pre-breach agreement. Debix enters into a no-cost, non-exclusive agreement which locks in pricing and that can be accomplished as a Privacy Leader's "enterprise improvement" quarterly goal, and then inserted into the enterprises' incident response kit as an attachment. You don't need budget to get an agreement in place, you just need some time and purchasing department cycles.
Imagine the difference: You will spend the first 2 days to 2 weeks after your data breach incident risk assessment sourcing and then consumating an agreement, instead of simply calling up your existing provider and saying "can you join our war room conference calls today please". (one recent breach stated in their public notice that the reason their notification letters took over 60 days to be sent was because they needed to source a response and remediation vendor).