How to Communicate Security Breach Notifications to Customers

According to a recent study conducted by Risk Management Security, much has changed in the data breach world last year. There were more than 3,000 data breaches, which is a massive 54% increase versus the year before. It’s no secret that by now more than half of organizations have experienced at least one data breach incident that had an impact on their customers’ Personal Identifiable Information (PPI) usage.

Fortunately, the awareness of data security importance has also increased. Everyone, from industry leaders to startups, invests in data security technology that will make their business operations safe and keep their brand identity intact.

However, if your company does experience a data breach, need to be extremely careful about how you break the bad news to your customers. There are certain best practices regarding sending security breach notifications to your customers and we’ve collected all of them for you. This data breach response guide is what you definitely need to save your customer base from collapse.

Security Breach Notifications Do’s

Typically, companies have a maximum of 60 days to deliver security breach notifications to their customers. Depending on the number of cases and the amount of damage, some companies will need to do it earlier. It is relevant to note that the notification clock starts ticking when you discover the breach. To make the best of this unfortunate situation follow these key next steps:

1. Scan local data breach laws

Depending on where your customers live and your business operates, some local laws will require you to notify customers of a data security breach within the first 30 or 45 days.  That means that you don’t have that much time to draft a data breach letter or establish a call center that will focus on this issue.

This means that you can’t allow yourself to waste time with:

  • Verifying addresses
  • Writing
  • Printing
  • Mailing notification letters

The next thing you should be careful about is that the law applications depend on where the victim lives and not on where your company’s headquarters are located. While one jurisdiction may go easy on you, the other one may not. You could inform just one part of the customers; however, no one likes to be left out. Thus, you should treat all of them equally.

The notifications may also be delayed if the local officials determine it will affect their ongoing investigation. Lastly, some states mandate specific types of content for security breach notifications. It can be information such as toll-free numbers and addresses for the three major credit bureaus, a state’s attorney general, or the Federal Trade Commission.

2. Incorporate the right sentiment

The success of security breach notification lies in how you deliver it. At this point, your customers will feel betrayed and hopeless. They put trust in you, they gave you their PPI, and you failed them. Thus, it is crucial to understand how they feel and what they would like to hear regarding this situation. Start with an apology while keeping a calm, serious tone. Express your sincere thoughts and be as helpful as possible.

3. Use plain language

Your customers are not data experts. The data breach already sounds quite scary, thus stuffing emails with the security niche’s jargon will sound even worse. While you may need to include certain legal terms, other things such as the amount of damage, time, and how it happened can be explained more clearly. Atlassian research has shown that using plain language is extremely important for avoiding mass panic and losing customers.

4. Give a comprehensive explanation

If your data breach is part of an ongoing investigation, you will be restricted from providing the full story to your customers. However, if that is not the case, you are expected to provide every single piece of information that would help customers get the full picture of this unfortunate occurrence  and potential further harm to their personal data.

You can’t go wrong if you stick to the 5W’s principle:

  • Who?
  • Where?
  • What?
  • When?
  • Why?

Make sure to provide these answers – because otherwise, your customers will trust you even less.

5. Use effective headlines

Security breach notification emails are usually quite long. On the other hand, the customer’s  attention span is quite short. To avoid making this hard topic even harder,use bolded headlines that will help customers skim the email and get a general idea of what is going on in just a couple of seconds. This is useful for a broad range of marketing practices; however, here it is essential. It will enable customers to skip the panic attack phase that may happen while they are reading the first lines and not knowing whether there’s a solution or positive outcome on the horizon.

6. Inform about the next steps

If you have determined what information has been exposed, inform your customers about what they can do next to minimize the damage. For instance, if credit card details have been stolen, you can suggest they contact their banks or credit card providers to shut down the cards. You need to help them protect themselves, so they don’t feel you’ve left them high and dry. They expect you to be their friend more than ever.

Victim Data Breach Response Don’ts

When communicating security data breach notifications to customers, wrong moves have the potential to worsen the situation and cause you to lose even more of your customers’ trust.  Therefore, it’s important to avoid these key mistakes:

1. Avoid personalization

While personalization is a winning tool for all other mainstream marketing purposes, the security breach notification email is certainly not the right place for it. If you continue to use their personal details, it will only signal to them that you are not taking the problem seriously. They already feel exposed and providing more exposure will only push them toward a decision to never trust you again. For this purpose, you can refer to customers by saying “Valued Guest” or simply just “Dear Customer.”

2. Keep it serious

Nothing will shake your brand identity even more than humor in the security breach notification email. A data breach is no joke, it impacts customers’ actual lives significantly as well as the future of your company. When you accidentally send an “oops” email they might forgive you for other situations, but not for this one. Thus keep it serious when the solution requires strict measures.

3. Skip linking

Due to their lack of trust, they definitely  won’t click on any links within your data breach incident response email. Moreover, that can look only more suspicious, thus they may think it is a scam. And if they do, you may immediately end up in their trash folder. Especially avoid using link shorteners as they don’t carry any information on the source of a message, so customers will be especially wary of clicking on them.

4. Strengthen your brand appearance

Because your brand integrity is seriously damaged you need to be careful about how you are going to deliver your brand signature together with the security breach notification. You need to emphasize that you are the company behind the email. Unfortunately, in their vulnerable state, it is so easy for their panic levels to escalate.

To combat this, make sure that your branding is easy to recognize. Add your logo, your picture, some specific company details that are not easy to get and you are on your way to regaining their trust. Most of all, ensure that all your company’s information is aligned to minimize any chance for confusion.

5. Use trusted domains

It is crucial to use a domain with your brand’s name in it and not some third party service’s. In any other case that would be fine, but not here. Data breach incident response is a highly sensitive topic and even a minor issue could raise doubts. Not to mention how important the domain information is. In other words, nothing says more that you are the sender than your domain name.

Similar to the point above, use tools that will say that it is you on the other side of the communication. For instance, the company Marriot used a third-party domain to ask their customers for a password reset. It is not a surprise that they weren’t very successful at getting their customers to do it.

We live in a world where information is the most valuable asset – make sure that it is protected! However, mistakes are a part of life, so if it does happen to you, make sure that you have followed the best data breach response and notification procedure to minimize the damage to both your customers’ data and your company’s image!