Story image

Suffered a data breach? Here’s how you manage the fallout

06 Jul 2018

Article by Kordia communications head Esmee O’Brien

If your business was to fall victim to a data breach, would you be prepared to notify your customers?

While having an incident response plan is key, so is good communication.

Over the past week, we’ve seen several examples of high-profile businesses falling victim to data breaches.

The fact they were breached in the first place is not surprising as virtually every business that operates online is at risk of cyberattacks. 

What’s more surprising is how some of these breaches have been managed – particularly in regards to communication. 

With changes to New Zealand’s Privacy Bill expected to come into effect in the next 12 months, businesses should already be starting to put some serious thought into what they would do if they were to fall victim to a data breach.

Creating an incident response plan is a great place to start.

What this incident response plan looks like will vary from business to business, but at the very least it should give key stakeholders within your business a clear plan and overview of what needs to be done, by whom and when.

From a communications point of view, an incident response plan should do one thing: reassure your customers that you care.

Based on what we’ve seen in the news of late, some have failed at this.

Good communication is a key part of any crisis or incident response function.

Without it, people are left asking questions, they make assumptions and they feel disregarded – all of which will ultimately affect how they view your business; and whether they choose to interact with it in the future.

So, how do you reassure your customers in the event of a data breach?

1. Act fast

If your business were to be breached and sensitive customer data (credit card details, address, passwords etc.) has been compromised, act quickly and let customers know as soon as possible.

Don’t sit on it for weeks or months, work with your IT team or an external security provider to quickly gather the facts, recommend a course of action and notify customers.

In the case of the Ticketmaster breach, I received an email notifying me that my credit card details may have been compromised and that I needed to reset my passwords as a precaution.

This is what I would expect any company I do ‘business’ with to do in the event of a breach – particularly if my data is affected.

Am I concerned that my credit card information may have been breached? Yes. Will I stop using Ticketmaster because of the breach? No.

2. Be transparent

Don’t leave room for interpretation, provide all the facts and outline the issue so customers know what has happened, what data has been affected, when and how.

Trying to cover up the severity of a situation will only make things worse.

3. Just apologise

All too often, businesses struggle to do one simple thing: apologise.

Put yourself in your customers’ shoes.

Is the breach your fault directly? Probably not.

Does this mean you shouldn’t apologise for the inconvenience? No.

For the average person, a breach of their data is a violation of trust and privacy, particularly if any personal information is involved.

Business and personal relationships are really quite similar - as with any situation where you may have unintentionally done something to upset someone– it’s best to say sorry, acknowledge the incident and outline what you are going to do about it (full review, increase security, change third-party providers).

4. Over-communicate

If the incident isn’t resolved, or if there is still a risk, let customers know that the situation is ongoing.

It’s also important to let them know how you plan to update them so they know where to look for updates.

These could be email updates, a dedicated page on your website or Twitter updates.

Ideally, it should be a combination of several forms of communication as not all people are on Twitter, for example.

If the issue is widespread and a large number of customers’ sensitive data has been affected, you may need to consider running notifications in the media (similar to what happens with a product recall).

Responding to a data breach doesn’t have to be complicated.  

Having an incident response plan in place to deal with cyberattacks and data breaches is part and parcel of doing business today.

Of course, when compulsory data beach notification comes into play here in New Zealand, it will also be non-negotiable – so why not get everything in line now?

It takes a long time for businesses to build a good reputation.

Without a good plan in place to deal with customer communications in the event of a data breach, businesses are putting their reputation at significant risk.

Safety solutions startup wins ‘radical generosity’ funding
Guardian Angel Security was one of five New Zealand businesses selected by 500 women (SheEO Activators) who contributed $1100 each.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.