As many privacy and security executives are well aware, data breaches are being reported at an increasingly alarming rate and making headlines in the U.S. every day. This increase in reported incidents has led to significantly more attention and awareness by senior leaders at companies who are asking their teams how prepared they are to manage these issues.
But has this increase in attention had the opposite effect on consumers who have their information exposed? Proponents of data breach fatigue – the idea that the more consumers are confronted with security incidents, the less likely they are to proactively protect themselves or take action against the companies at fault for exposing their personal information – would say yes.
But falling for the fatigue fallacy can cause companies in crisis to make decisions in their response that could ultimately further harm their brand and reputation. People care when their information is exposed and they will take action.
A recent Experian survey found that a majority of consumers in the U.S. who were notified of a data breach took steps to protect themselves in response. In fact, 72 percent of consumers who were impacted by a breach updated their anti-virus technology and nearly half reviewed online account activity or company security policies.
Further, this data shows that it is dangerous to generalize when it comes to consumer attitudes toward breaches. While a certain subset of consumers may have experienced data breach fatigue, another set decided to take the extreme action of taking their business elsewhere. One in five consumers notified of a breach stopped doing business with the company that compromised their personal information.
To avoid the potential loss of reputation, customer trust and business that can occur in the aftermath of a breach, companies must consider the needs and concerns that many of its customers may have and ignore the publicized theory of data breach fatigue.
The good news is that there are steps companies can take to mitigate customer fall out after a major security incident.
Notification letters should be timely, sincere and tailored to the customer based on the situation and the type of information exposed. Letters should include an apology and a clear explanation of what happened, why it happened, and easy-to-follow steps for consumers to protect themselves from fraud. This includes checking credit reports and monitoring financial or health records to identify any suspicious activity.
Prioritize authentic communication
To avoid possible reputational damage and the loss of customers following a breach, companies must prioritize the concerns of their customers and have plans in place that ensure thoughtful communication and expected protection services.
Getting the response right in the heat of a data breach is easier said than done. The mega breaches that have played out publically in recent months show that companies must ensure they react and respond to an incident by planning ahead and having a response plan in place with security and communication professionals working closely together. Notification letters should be timely, sincere and tailored to the customer based on the situation and the type of information exposed. Letters should include an apology and a clear explanation of what happened, why it happened, and easy-to-follow steps for consumers to protect themselves from fraud. This includes checking credit reports and monitoring financial or health records to identify any suspicious activity.
Beyond the formal notification letter, companies should consider the other channels they can use to communicate with affected customers. For example, establishing a page on a company website dedicated to providing more details about an incident, as well as links to other protection resources, has proven to be a very effective engagement tool. Unlike a written letter, a site can be regularly updated as companies learn more information about the incident and it is an easy place for consumers to gain information.
Other methods of communication to consider for customers include an FAQ section on your company website and a call center. Call center providers can help answer your customers’ more detailed questions and concerns about a data breach, as well as provide assistance to customers enrolling in identity theft protection services. Providing this open line of communication can go a long way in retaining customer trust.
Provide guidance and remedies
Companies should also consider offering services that help consumers further safeguard the information that was exposed by the data breach. Though laws and industry regulations vary on if and when an organization needs to notify victims following a breach, affected consumers also have the expectation that organizations will offer credit monitoring and identity theft protection services.
In fact, 63 percent of consumers believe organizations should be obligated to provide identity theft protection in the event of a data breach. Providing fraud monitoring and identity protection services are important steps for organizations both in terms of compliance and maintaining consumer trust. Additionally, companies can also offer access to fraud resolution agents that can help consumers deal with possible hassles should they become victims of identity theft after a breach.
Companies must continue to prioritize the concerns and needs of consumers following a data breach. Those affected by a breach deserve to be notified and presented with protection options, whether interested in taking them or not. At its worst, the data breach fatigue myth leads businesses to believe otherwise and do the minimum required by law, versus what is required to maintain trust and credibility with customers.
photo credit: Research Data Management via photopin (license)