Smart business people know that they must secure their systems to withstand the most determined and persistent physical, as well as cyber, attacks. They must minimize their risk of exposure by deploying the most sophisticated security and anti-malware software, using outside firms to frequently penetration-test their cyber defenses, continuously training their employees to comply with the most stringent security protocols, investigating every vendor and installing state-of-the-art physical security equipment. They must obsessively monitor all of the above. And then, be prepared to manage the damage when the all-too inevitable breach occurs. But in between the technology, training and tracking, it’s all too common to forget one key factor: preparing to deal with the emotions of those customers or employees whose data have been compromised.
Anyone whose data is accessed and exposed in a breach is going to be shocked, scared, concerned and/or angry, at the very least. But while hackers and thieves anonymously lurk behind avatars and screen names selling the pilfered data on black market sites, victims of your breach will have another target (pun intended) for their outrage: you.
Now you can talk ad nauseam about your sophisticated technology and tireless training – no doubt boring most anyone who will listen with the specifics (or at least the details that your lawyers or law enforcement officials will allow you to disclose) of everything you did right and how the bad guys snaked you anyway. But the fact of the matter is that as bad as the breach is for your business, there will be a whole lot of good customers, employees and clients out there whose financial lives are about to disrupted – with no notice – and whose future lives could well be rocked by identity theft for no reason other than they chose to patronize your business.
Read More From Credit.com: Risks You Face From Identity Theft
Treat Your Customers As You Would Want to Be Treated
Every business must build urgency, transparency and empathy into its breach planning.
What does that mean? For one, you shouldn’t wait until you are outed by reporter Brian Krebs to properly inform your customers. Instead, like Kickstarter did, notify your customers the minute the hole in your system is plugged and the existence of actionable damage is confirmed. The best way to help your customers and maintain your relationships with them is to treat the situation with a sense of urgency. Your security hole might be plugged but, with their data stolen, theirs is open as long as you keep quiet.
Read More From Credit.com: How Can You Tell If Your Identity Has Been Stolen?
Next, be as transparent as possible -- without harming any ongoing law enforcement investigation. Acknowledge what you know about the breach, how you suspect it will affect your customers and what you concretely plan to do to remedy the damage your data breach has done to them. Portraying the criminals who hacked your system as sophisticated computer geniuses who broke into a heretofore impenetrable system is only going to backfire when some enterprising reporter discovers that your system was accessed using off-the-shelf hacking programs and your security team ignored warnings to that effect long before anyone did anything about it.