No company wants to find itself in hot water and lose business following a data breach. In order to maintain and regain the trust of customers, there must be an urgent, transparent and empathetic response.
It’s no longer just death and taxes. Data breaches have become the third certainty in life. That’s according to Adam Levin, founder of CyberScout and author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves. Looking back at 2018, he might just have a point.
Indeed, 2018 was the year that gave us data breaches at the likes of British Airways, Marriott, Quora and Ticketmaster. And while lessons will have been learned, security experts predict that in 2019, cyber criminals will become even more sophisticated in their work, targeting more than just payment data, going after the likes of login credentials and other sensitive information. We’ll also see critical infrastructure and governments being targeted more frequently, something witnessed in Germany in recent weeks.
For Levin, companies should follow the ‘three M’ approach when it comes to data security. That is, minimise risk, monitor, and manage the damage. For the purpose of this post, we are concerned with the third M – responding to a security breach and rebuilding trust with your customers.
Have a plan
First and foremost, any company or organisation that handles data should have a data breach response plan in place. “This shouldn’t be a plan that is formulated after an event,” advises Levin. “This is a plan that should be formulated in anticipation of an event. Not that a company should be fatalistic but it should be realistic and, when you live in a world where breaches have become the third certainty in life, you have to assume that even if you get everything right as an organisation there is always the possibility that someone somewhere is going to make a mistake.”
According to Levin, many multinationals are guilty of “throwing a fortune” at technology and assuming they have all bases covered from a security point of view. However, as he notes: “You can’t do a victory lap when it comes to cybersecurity because you could be secured at 9am and at 9.01am somebody could click on the wrong link and suddenly you are off to the races.”
Consider your initial response
The first part of maintaining or regaining the trust of your customers following a data breach starts with your initial response. Levin breaks down the necessary measures for us: An organisation must respond urgently, transparently and empathetically.
First of all, urgent actions require a company to call in its breach response team who will attempt to understand the scale and nature of the breach and assess how best to respond. This should be a team of people that includes members of the IT department, the information security department, legal and human resources. Levin recommends that companies consider having a relationship with an outside vendor that understands the laws not only in one jurisdiction but in several regions across the globe where customers might be impacted. “Instead of trying to reinvent the wheel, it’s good to already have the car. And the car is a third-party expert who can get you through this,” he says.
Set the narrative
One of the major failures of companies at the centre of a data breach in the past has been their attempt to cover it up. Levin provides us with some examples.
“One company made a decision that it was only going to notify the victims and it was only going to use mail as a notification tool,” he explains. “It also decided that it wouldn’t notify the media in order to get the vastest, widest reach. Unfortunately, by playing it very close to its chest, one of the people the company notified happened to be a reporter for the largest newspaper in the state and the story did not go away for an incredibly long period of time.”
On the flip side, being transparent brought its just rewards for another company. “There was one client that said, ‘you know what, we want to be upfront about this’, and as part of its notification process it sent letters and also issued a release,” says Levin. “It put a notification on its website immediately. It provided a pretty good idea of what the data was that was compromised so that people would be able to understand the potential outer reaches of how they could be vulnerable. The story went away in less than a week because they set the narrative.”
The response of the second company does come with a caveat however. “Don’t make an announcement until you fully understand what the problem is,” advises Levin. Companies that make this error are generally the ones that fail to understand how much data they possess at any given time and where that data resides. Hence, the importance of data mapping.
“How many times have you heard the details of a breach and been given one number about the amount of people that were impacted?” asks Levin. “Then, a couple of months later, they announce, ‘well, we were a little off’ and the number suddenly becomes three or four times the [original] number. That’s because they didn’t have enough of an idea. The breach notification plan that every company should have is a plan that not only addresses determining where the weakness was and dealing with that weakness, but also making sure their systems are up and running, their consumers are protected, that their data has been protected and that it has been properly backed up – that if it were to be hit by a ransomware attack, they are suddenly not out of business.”
Levin says the key to regaining the trust of your customers is to make them aware that you are in control of the situation, to be transparent and to let them know that you are there to support them. “You have to explain that you are on it and that you have taken measures,” he asserts. “One of the most important ways to regain consumer trust, in addition to letting them know that you are putting additional protections in place, is to make products and services available to them that will help them get through it.
“It’s not just a case of us giving you a list [of how your data has been compromised] and saying, ‘goodnight and good luck’. It’s letting them know that we have trained professionals who are standing by and if you have any issue you can call them with a question, you can indicate an issue you had and they will help you get through it.”
How partnering with the right company can help
In 2018, Voxpro – powered by TELUS International found itself on the frontline of one such battle – helping a partner company to regain the trust of its customers following a data breach.
It was a Thursday evening in June when an operations manager at Voxpro received a message from a partner’s VP of Support stating that there was something urgent to discuss. That discussion took place by phone shortly afterwards whereby Voxpro was informed about a data breach that took place at the partner company the previous year involving the leaked data of millions of customers worldwide. In response, it was requesting Voxpro to immediately remove any existing barriers to scaling its agent headcount in order to meet the expected customer demand resulting from the leak.
At that stage, Voxpro’s partnership with the company had been seven months in operation and was focused on customer and tech support. Upon receiving the call, the operations manager and his team went into action and, through a sophisticated ramp plan, the number of agents employed for the partnership was more than doubled. In order to have a significant number of new agents work-ready at such short notice, Voxpro developed a special one-day training programme designed to deal specifically with the data breach, giving trainees a crash course on the specifics of the breach, the company line on how it was responding and in helping to support those who had been impacted.
Once the company in question announced details of the leak to the world, Voxpro’s expertise kicked in. During the first week, the team handled 12,000 cases, for the second week 13,500 and the third week 11,500 before gradually returning to normal levels of around 8,000 per week. Through expert resource planning, Voxpro’s ramp plan worked a treat and it helped the partner company maintain and regain the trust of its customers.
It’s evidence that by partnering with the right company – one that is flexible, agile and trustworthy – you can ensure that your customers are in safe hands should you be in the unfortunate position of having sensitive data leaked.