Notifying Customers About a Data Breach: Five Rules

Tuesday, July 17, 2012

Megan Berry


Article by Sam Narisi

Legal fees, clean-up costs, lost business and damage to an organization’s reputation: consequences of a business being hit with a data breach. Cost can be significant, which is why it is critical to properly respond after a data breach.

More people are being personally affected by data breaches as criminals get better at stealing data. New laws have also made it mandatory for organizations to report breaches to affected people.

12% of respondents said they’d been contacted about a breach involving their personal information, in a 2005 survey from the Ponemon Institute.

That number more than doubled in a similar study conducted this year, with 25% of the 2,800 survey respondents saying they have been notified about a breach.

Respondents were asked how those data breaches affect their opinions of the organization. Among respondents who were affected by a breach:

  • 62% said it decreased their trust and confidence in the organization
  • 39% said they might discontinue their relationship with the organization
  • 35% will stick with the organization as long as it doesn’t happen again, and
  • 15% will or already have cut ties with the organization.

The way the organization notifies breach victims can have a big impact on how they feel — and whether they remain customers. Only 28% of people said they were happy with how they were told about a breach.

In the same survey, customers said how they want organizations to respond after a breach:

1. Provide all the facts — When at risk, people want all relevant information. However, 58% of people said the notification they received did not include all the facts and “sugar coated” the message.

2. Be clear — Just 48% of people said the breach notifications they’ve received were easy to understand. In addition, 62% said they were too long and poorly written, and 53% said they contained too much legal language. It’s important to present all the facts in a way the average person can comprehend.

3. Let people know what your organization is doing — When asked what key facts were missing from breach notifications, 51% of respondents said they weren’t told about the protections that were being provided to protect victims from financial damage. Offering that information will let victims know the company cares about the dangers they face.

4. Explain the risks and offer advice — Another 25% said they weren’t given information about what steps they should be taking to protect themselves. Explaining these will help reduce fear and confusion.

5. Offer financial help — Most people believe a data breach will make it likely that they will be the victim of identity theft. Therefore, 68% expect some kind of reimbursement. While that may not be realistic, 56% said organizations should offer credit monitoring services to breach victims, which is a step many experts recommend.

For information, download Ponemon’s study here.

About the author:  Sam Narisi

Cross-posted from IT Manager Daily

Possibly Related Articles:
Information Security
Data Loss breaches Disclosure Trust Reputation Management Mandatory Reporting Liability Consumers Notification
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.