Bad things can happen to good companies — and one misfortune that businesses might experience nowadays is a data breach. This type of cybercrime is increasing at an alarming rate. In the United States alone, the number of breaches rose 45% in 2017 compared to 2016.
A data breach can erode customers’ confidence in a company, which can result in lost business. It can also erode the general public’s confidence, which can result in lost business opportunities. Understandably, the size of the breach and the types of data stolen affect the level of confidence people have in a company that has been hacked. But there is another important component in the confidence-level equation: How a business responds to the crisis. For this reason, companies that have experienced a data breach need to be transparent, communicate effectively, and follow through on promises.
While they might not like it, most people understand and accept the fact that data breaches occur. However, if you are caught trying to cover up a breach or intentionally mislead people about its size or severity, irreparable damage might be done to your business’s reputation.
This is why you need to be transparent about the data breach. In other words, you need to fully disclose information about the event in an accurate and timely manner. It is much better if news about the breach comes from official channels in your company rather than being leaked by someone else inside or outside your organization. You should inform your staff, customers, suppliers, and anyone else who needs to know about the event. When telling them, it is important to be honest about the size of the breach and the types of data stolen.
To further enhance transparency, you might consider bringing in third-party experts to conduct an independent investigation of how the breach occurred and what can be done to prevent future occurrences. Plus, an independent investigation will help show that you are taking the breach seriously.
Simply telling everyone there has been a data breach is not enough if you want to keep your customers and salvage your business’s reputation. A lot of thought should go into what to say when you notify the various groups. Be sure to:
- Take responsibility for the breach and apologize.
- Let people know that your company is taking the breach seriously.
- Empathize with the victims.
- Provide details about the type of data that was lost and how it was lost, unless prohibited by law.
- Discuss what steps you are taking so that this type of incident does not happen again.
When notifying the victims of the breach, you will also want to include:
- The options or next steps they can take (e.g., signing up for a complimentary identity protection service)
- Where they can get more information (e.g., calling a toll-free number or visiting a website you set up)
- How to detect fraud (e.g., monitor bank and credit card accounts)
The timeframe in which to notify breach victims and authorities is often regulated by country, region, or industry-specific agencies. For example, the European Union General Data Protection Regulation (GDPR) mandates that customers be notified within 72 hours of first becoming aware of a breach. These agencies might also dictate what needs to be included in those notifications.
Follow Through on Promises
To rebuild people’s trust in your company, you will need to follow through on the promises you made to them. Besides fixing the problems that led to the breach, you will need to act on any additional measures recommended by the people who investigated it. You also need to deliver on any assistance you promised to the breach victims.
It Will Take Time
Even when you act responsibly after a data breach, gaining back your customers’ and the public’s confidence will take some time. One study found that it can take anywhere from 10 months to more than 2 years to restore a company’s reputation following a breach of customer data. As a result, it is best to take all the measures you can to try to prevent a breach. We can assess your IT environment and make recommendations on how to protect it from hackers who want to steal your data.