Story image

Suffered a data breach? Here’s how you manage the fallout

06 Jul 18

Article by Kordia communications head Esmee O’Brien

If your business was to fall victim to a data breach, would you be prepared to notify your customers?

While having an incident response plan is key, so is good communication.

Over the past week, we’ve seen several examples of high-profile businesses falling victim to data breaches.

The fact they were breached in the first place is not surprising as virtually every business that operates online is at risk of cyberattacks. 

What’s more surprising is how some of these breaches have been managed – particularly in regards to communication. 

With changes to New Zealand’s Privacy Bill expected to come into effect in the next 12 months, businesses should already be starting to put some serious thought into what they would do if they were to fall victim to a data breach.

Creating an incident response plan is a great place to start.

What this incident response plan looks like will vary from business to business, but at the very least it should give key stakeholders within your business a clear plan and overview of what needs to be done, by whom and when.

From a communications point of view, an incident response plan should do one thing: reassure your customers that you care.

Based on what we’ve seen in the news of late, some have failed at this.

Good communication is a key part of any crisis or incident response function.

Without it, people are left asking questions, they make assumptions and they feel disregarded – all of which will ultimately affect how they view your business; and whether they choose to interact with it in the future.

So, how do you reassure your customers in the event of a data breach?

1. Act fast

If your business were to be breached and sensitive customer data (credit card details, address, passwords etc.) has been compromised, act quickly and let customers know as soon as possible.

Don’t sit on it for weeks or months, work with your IT team or an external security provider to quickly gather the facts, recommend a course of action and notify customers.

In the case of the Ticketmaster breach, I received an email notifying me that my credit card details may have been compromised and that I needed to reset my passwords as a precaution.

This is what I would expect any company I do ‘business’ with to do in the event of a breach – particularly if my data is affected.

Am I concerned that my credit card information may have been breached? Yes. Will I stop using Ticketmaster because of the breach? No.

2. Be transparent

Don’t leave room for interpretation, provide all the facts and outline the issue so customers know what has happened, what data has been affected, when and how.

Trying to cover up the severity of a situation will only make things worse.

3. Just apologise

All too often, businesses struggle to do one simple thing: apologise.

Put yourself in your customers’ shoes.

Is the breach your fault directly? Probably not.

Does this mean you shouldn’t apologise for the inconvenience? No.

For the average person, a breach of their data is a violation of trust and privacy, particularly if any personal information is involved.

Business and personal relationships are really quite similar - as with any situation where you may have unintentionally done something to upset someone– it’s best to say sorry, acknowledge the incident and outline what you are going to do about it (full review, increase security, change third-party providers).


4. Over-communicate

If the incident isn’t resolved, or if there is still a risk, let customers know that the situation is ongoing.

It’s also important to let them know how you plan to update them so they know where to look for updates.

These could be email updates, a dedicated page on your website or Twitter updates.

Ideally, it should be a combination of several forms of communication as not all people are on Twitter, for example.

If the issue is widespread and a large number of customers’ sensitive data has been affected, you may need to consider running notifications in the media (similar to what happens with a product recall).

Responding to a data breach doesn’t have to be complicated.  

Having an incident response plan in place to deal with cyberattacks and data breaches is part and parcel of doing business today.

Of course, when compulsory data beach notification comes into play here in New Zealand, it will also be non-negotiable – so why not get everything in line now?

It takes a long time for businesses to build a good reputation.

Without a good plan in place to deal with customer communications in the event of a data breach, businesses are putting their reputation at significant risk.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.