We’ve Been Breached! What Do You Want From Us?

Written by

The potential of a significant data breach can strike fear into businesses of every size. In the first half of 2019, more than 3,800 breaches were publicly reported with more than four billion records compromised – and the number of threats is only on the rise.
So, it’s no surprise that cybersecurity has risen to become one of the top corporate governance issues, especially within publicly traded companies. One global bank even recently stated that its budget for cybersecurity preparedness was now limitless. A driving factor for this type of investment is likely the reality that one of the biggest costs of a data breach is customer turnover.  

While most customers understand that breaches are inevitable, it isn’t always easy to forgive and forget. How well a company communicates with impacted customers after a breach really matters. In fact, in a recent national survey Experian conducted, consumers said their first response to poor communication following a breach would be to pull their business — and they wouldn’t plan on doing so quietly. In fact, 54% say they would post negative comments about the company on social media.   

To be sure, call centers and identity theft protection continue to be important. However, businesses may not understand how much consumers value these services. For example, while over half of the consumers we talked to value the importance of a call center, only 35% of businesses ranked a call center as the best approach. 

Sorry Seems to Be the Hardest Word
Interestingly, potentially the most inexpensive response, an apology from the CEO, was identified by 42% of consumers as something they would want to hear post breach, but only 28% of businesses ranked that as the best approach.

However, just communicating quickly with consumers can make a big difference. Notification of a data breach leads to a peace of mind with consumers. In fact, our research found that consumers get the most peace of mind when companies respond to breaches with direct and timely communication. 

What’s more, 70% of consumers said they would prefer to hear directly from the affected company rather than read about a breach in the news. While laws and regulations may lead companies to believe they have more time to disclose a breach, a clear majority of consumers expect to be notified within 24 hours, and nearly all expect to hear within two to three days.

Perhaps unsurprisingly, consumers are particularly demanding of early notification when it comes to banks, with 83% wanting to know about a breach within 24 hours. However, other industries shouldn’t rest easy.

For example, our research found that 73% of consumers of healthcare organizations wanted to be notified within 24 hours and the same was true for 61% of retail customers. This quick turnaround is why it is essential to have a data breach response plan in place and external partners, such as legal counsel and resolution firms, secured ahead of time that will support the breach response.

Can Consumers and Business Agree on Anything? 
Identity theft protection was an area where customers and businesses found agreement. Both business stakeholders and consumers rated identity theft protection and credit monitoring as the best actions after a breach, with these services typically lasting up to one year. 

The good news is that even after a breach there may be light at the end of the tunnel when it comes to damaged relationships with impacted consumers. If companies want to restore trust, offering identity theft protection promptly after a breach has proven to be the one of the most reliable ways to retain customers.  

Unfortunately, businesses were five times more likely than consumers to believe nothing would make a difference. While that’s not the case, many businesses may need to expand the way they respond to a breach, and consumers may be giving them a roadmap to do just that.

Despite major security advancements, the amount of breaches and consumers impacted every year isn’t slowing down. Companies need to shore up their defenses to try to prevent a breach, but prepare for the inevitable and align their response approach with what resonates with consumers. A company can certainly rebuild trust and minimize the business impact with a smooth and thoughtful response.  At the minimum, an apology will go a long way.

What’s hot on Infosecurity Magazine?