In the aftermath of a data breach, the key question isn’t “should we be completely open with our customers?” By now, you hopefully understand the importance and virtues of transparency. Rather, the key for organizations is “can we be completely open and honest with our customers?”
Many companies are learning the hard way that they do not have the right amount of information following a breach – and when a company is in the dark, so too, are their customers.
A few months ago in our Throwback Hack post on PF Chang’s – we discussed the company’s response to its customers, noting the commentary of Dr. Michael Lloyd, CTO at security firm RedSeal Networks, who commended PF Chang’s for its transparency in openly discussing the extent of the breach. While admirable, his view was that PF Chang’s fell short of an ideal response:
P.F. Chang’s statement about the extent of the breach they suffered is commendable – consumers, investors and regulators demand transparency. However, the time it took is interesting – it’s an example of the “fog of war” that all organizations have to deal with today. Just as in real wars, defenders need to understand where they stand. Unfortunately, terrain mapping is quite hard in the overgrown, complex IT infrastructures we rely on.
In other words, the company wanted to do the right thing. They just didn’t have the information on who-did-what-when. They are hardly alone in this regard.
Unfortunately for companies like P.F. Changs, it looks like this lack of knowledge will not be tolerated for much longer. In his new pitch for a Personal Data Notification and Protection Act, President Obama says he wants companies to notify consumers within 30-days of a personal data breach. From the White House press release:
This proposal clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard
Of course, the purpose of this post is to not just point out the shortcomings of others; we want to offer some valuable advice to help companies struggling with this specific problem. And with that in mind, here are a few data points you’ll need to know – and communicate with customers – following a data breach:
- Timing: This is the one that gets so many companies in trouble, including PF Chang’s. The longer it takes you to identify a breach, the worse things get. Not only does a delayed response worry customers (whose information has been comprised for an extended period of time), it prevents you from resolving the issue in a timely manner. The sooner you alert customers to suspicious activity, the faster they can act to protect themselves and the more confident they are in your ability to prevent similar incidents from reoccurring.
- Source: Where did the breach originate? And who is responsible? Without being able to let your customers know the source of the breach, they’ll naturally be skeptical of your ability to resolve the issue. Simply stating that “we are investigating the matter” will no longer suffice; your customers want specific details, so be prepared.
- Compromised Data: What types of files and data were compromised? Was it just names and passwords, or did it include social security and credit card numbers. Sometimes a breach occurs that doesn’t result in any compromised data, but if you don’t know, then you can’t communicate this to your users, who will in turn expect the worst.
- Affected Users: A data breach doesn’t necessarily affect everyone in an organization’s database. Sometimes – in the case of many retail breaches, for instance – it’s just those who purchased goods during a specific time period. In order to not cause alarm where none is needed, it’s critical for organizations to know which segment of their users were affected.
- A Solution: Ensure your customers that you are working hard to determine the source of the breach so that you can eliminate any chance of it happening again. It is also common for breached companies to offer at least a year of credit monitoring – this may take some of the sting out of being affected.
So should you be completely transparent with your users following a breach? Without a doubt. But, can you? Be sure to let us know in the comments section below!
Subscribe to the Proofpoint Blog