The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
Smart business people know that they must secure their systems to withstand the most determined and persistent physical, as well as cyber, attacks. They must minimize their risk of exposure by deploying the most sophisticated security and anti-malware software, using outside firms to frequently penetration-test their cyber defenses, continuously training their employees to comply with the most stringent security protocols, investigating every vendor and installing state-of-the-art physical security equipment. They must obsessively monitor all of the above. And then, be prepared to manage the damage when the all-too inevitable breach occurs. But in between the technology, training and tracking, it’s all too common to forget one key factor: preparing to deal with the emotions of those customers or employees whose data have been compromised.
Anyone whose data is accessed and exposed in a breach is going to be shocked, scared, concerned and/or angry, at the very least. But while hackers and thieves anonymously lurk behind avatars and screen names selling the pilfered data on black market sites, victims of your breach will have another target (pun intended) for their outrage: you.
Now you can talk ad nauseam about your sophisticated technology and tireless training – no doubt boring most anyone who will listen with the specifics (or at least the details that your lawyers or law enforcement officials will allow you to disclose) of everything you did right and how the bad guys snaked you anyway. But the fact of the matter is that as bad as the breach is for your business, there will be a whole lot of good customers, employees and clients out there whose financial lives are about to be disrupted – with no notice – and whose future lives could well be rocked by identity theft for no reason other than they chose to patronize your business.
Every business must build urgency, transparency and empathy into its breach planning.
What does that mean? For one, you shouldn’t wait until you are outed by reporter Brian Krebs to properly inform your customers. Instead, like Kickstarter did, notify your customers the minute the hole in your system is plugged and the existence of actionable damage is confirmed. The best way to help your customers and maintain your relationships with them is to treat the situation with a sense of urgency. Your security hole might be plugged but, with their data stolen, theirs is open as long as you keep quiet.
Next, be as transparent as possible — without harming any ongoing law enforcement investigation. Acknowledge what you know about the breach, how you suspect it will affect your customers and what you concretely plan to do to remedy the damage your data breach has done to them. Portraying the criminals who hacked your system as sophisticated computer geniuses who broke into a heretofore impenetrable system is only going to backfire when some enterprising reporter discovers that your system was accessed using off-the-shelf hacking programs and your security team ignored warnings to that effect long before anyone did anything about it.
Finally, be empathetic. While you have been (or, at least should have been) preparing for a data breach all along, your customers absolutely did not expect to have their personally identifying information or financial data fall into the hands of criminals today. Though you might know what your company needs to do to fix the problem, or how you might personally cope with being the victim of a data breach, I daresay most of your customers do not and will not. You must treat their feelings — even their anger — with respect, train your employees to do so and work to assuage their fears with information and, if warranted, credit monitoring and resolution services. For instance, the last thing they need is for you to demand additional sensitive information from them before processing their fraud claims, which will only make them feel more powerless, frustrated and angry with your company.
Frankly, all the technology you need to deploy and all training you need to implement to try to protect against a breach is probably easier than planning for urgency, transparency and empathy in your response to the inevitable breach. But as Airbnb’s Chip Conley shows, “scenario planning” can help make the difference between a response that is lambasted by the media and abhorred by your customers, and one that is praised far and wide.
Image: Monkey Business Images
April 11, 2023
Uncategorized
September 13, 2021
Uncategorized
August 4, 2021
Uncategorized