Pagoda Blog

If your business is the victim of a data breach, you want to have a response plan in place so that you can swiftly alert your customers. How you alert your customers, and how you communicate with them throughout the investigation, can either save or doom your business. 

 

There’s no way around it. A data breach severely damages the relationship you’ve built with your customers. They trusted you with their data and now it’s been compromised while in your care. There will be trust lost, but how you react to the data breach and keep your customers informed can go a long way in regaining this hard-earned trust. 

 

After a data breach occurs, follow these steps to effectively communicate the incident to your customers. 

 

1. Take Ownership

When you first discover that your organization has been the victim of a data breach, your initial response may be to lay the blame squarely upon someone else’s shoulders. This is a perfectly natural response, albeit a flawed one. 

 

The last thing you want to do when notifying your customers of a data breach is to insinuate that their actions were the cause. Your customers entrusted you with their data and while it may be true that they didn’t create strong enough passwords or failed to use multi-factor authentication, it is your company’s responsibility to effectively encourage these cybersecurity policies. 

 

So, take ownership of the data breach and do everything you can to uncover how the breach occurred and what you can do to prevent it in the future. And this brings us to step number two …   

 

2. Get all the details first 

While it’s important to notify your customers quickly in the case of a data breach, you also want to gather as much information as possible before alerting them. Ask the team who’s handling the breach (this may be a crisis management team or your IT services provider) the following questions: 

 

- What is the scope of the data breach? What data was compromised and how many customers were affected? 

- What role did we play in the breach? Or, how did the third-party gain access to our data? 

- What could we have done differently to protect this data and prevent a future breach?

- How can we help our affected customers? 

 

3. Create an incident response plan 

Once you’ve uncovered as much information as you can about the breach, it’s time to put these findings to work in an incident response plan. This plan will help guide you as you notify customers and respond to their questions, concerns, and requests. 

 

Here are the primary questions your customers will want answers to: 

 

- Has my data been stolen? 

- What is the risk to my data? Is it contained? Is it for sale on the dark web? Is it being held for ransom? 

- Is there any action I need to take at this time to protect myself? 

 

Your organization should also work closely with legal and finance teams to figure out which regulatory bodies, government entities, and insurance agencies to notify. 

 

4. Send your customers a letter 

When a data breach occurs, customers are put on edge and will be hyper aware of email or text scams. While you should still send an email to all your customers first so that you can notify them of the data breach as quickly as possible, you may want to consider also sending a letter. 

 

An old-fashioned letter with your company logo is a trusted source of information. It also shows your customers that you’re willing to go to extra lengths to ensure they feel cared for and informed. An email risks the chance of being marked as spam or simply getting overlooked in an overflowing inbox. 

 

Use multiple platforms to alert customers, from email and text to social media posts and a formal mailed letter. 

 

5. Be the go-to source for data breach updates

Don’t let any other entity (news outlets, individuals on social media, your competitors) take control of data breach updates. You want your organization to be the go-to source for updates on the data breach as your team uncovers more information regarding the cause and impacts of the breach. 

 

To achieve this, you  may want to create a landing page on your website dedicated to these updates. When any new information is revealed, also send an email to your subscribers/list and publish an update on your social media outlets. You may also want to include additional resources on this landing page, such as a link to the FTC’s website and to your own data and privacy policies. 

 

Video also works well to reestablish trust. Consider posting video updates of your CEO sharing the latest information about the data breach. For high-profile cases, you may also need to hold a press conference. 

 

6. Remain transparent and available

As the case evolves, there may be sensitive information that you can’t immediately reveal to the public. Rather than remain silent, share this in an update on your landing page, in your newsletter, and on social media. Your customers want to feel continually assured that you are actively working on resolving the incident and will appreciate being kept in the loop. 

 

It’s perfectly acceptable to post a two-sentence update that says, “We want you to know that we are still actively working to recover your data. Due to the involvement of law enforcement, we are currently unable to provide any further details about the case but will do our best to answer any questions you may have.” 

 

You should also include a way for customers to contact you about the breach: “Don’t hesitate to contact xxx@youremail.com with your concerns.” 

 

Example of a well-done data breach notification 

When the Monterey Bay Aquarium realized that one of their third-party vendors experienced a data breach, they were quick to notify their customers with a clever, on-brand email. 

 

Their email included a brief overview of the scope of the breach, what data was not impacted by the breach, links to additional resources, and a way to contact the Aquarium for more information. 

 

They also kept the email on-brand with the use of an ocean-inspired pun and their logo and brand colors. This helps to signal to customers that it is a legitimate email and not a scam. (They also remind customers that they “will never email you and ask you to disclose or verify your password, credit card, or bank account number.”)  

 

How to stay one-step ahead of a data breach  

For more information on how to respond to a data breach, see the FTC’s Data Breach Response: A Guide for Business. Our team is also happy to answer any questions you may have about taking proactive actions to mitigate the risk of a data breach in the first place. Reach out today for your free consultation with one of our IT experts. 

Feature photo by Malte Helmhold on Unsplash

 

 

Related posts: 

What Business Owners Can Learn from IBM’s Annual Cost of Data Breach Report

Are You Doing All You Can to Protect Your Customer’s Data? 

How to Avoid Online Scams for Disaster Aid 

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing. 

 

Want IT to serve you better? 

Subscribe

 

-------------------

 

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.