Broaching a Data Breach

Page 1

marcom

data security

Broaching a Data Breach Data breaches are a sign of the digital times. Here’s how to communicate your company’s data collection practices and respond in the event of a data breach. By Christine Birkner | senior staff writer

 cbirkner@ama.org

S

ecurity experts are calling data breaches the “new reality.” Over the past few years, corporations such as Target, The Home Depot, Sony and Anthem have fallen victim, compromising

18

millions of U.S. consumers’ credit card numbers, health records and other personal information. In 2014, data breaches hit an all-time high in the U.S., with 1.1 billion personal records compromised, up 22.3% from 2013,

according to Risk Based Security Inc., a Richmond, Va.-based data security consulting firm. “This is the world we live in. Data breaches are going to happen, and they’re going to continue to happen wherever there are large amounts of data being stored that’s of value,” says David Barton, managing director at Chicago-based business consultancy UHY Advisors Inc., who specializes in IT compliance and technology risk and controls. Here, experts offer advice for communicating with your customers about data collection practices and crafting a response in the event of a data breach.

marketing news | June 2015

MN June 2015 1-65 copy-EDIT-5-21-15 with GOld Report.indd 18

5/21/15 6:00 PM

marcom

data security

Communicating About Data Collection Make sure that your data privacy policies are listed on your website, and let your customers know that security is a priority, Barton says. “It could be a simple paragraph, maybe included in the privacy policy, that says, ‘Your information is something we are stewards of, and we do everything we can do to protect your data and not allow it to get into the wrong hands.’ It’s about letting folks know that it’s not something you take lightly.” Adds Benn Konsynski, professor of information systems and operations management, specializing in digital commerce, at Atlanta-based Emory University: “No one will ever make a guarantee of complete protection, but you want to show that you value and respect their trust in you, and that you’re taking best practices to protect that content.” Let your customers know up front whether you plan to share their data with third parties, and allow them to opt out or opt in to data sharing, says Inga Goddijn, executive vice president and managing director of insurance services at Risk Based Security. “Giving people control over that really builds trust over the long term.” But don’t get too detailed. Sharing too much information about your security practices can open the door for attackers who are trying to access your data, she adds. “Those conversations should be geared towards the culture of security, and how you’re fostering security in the organization, instead of talking specifically about, ‘This is what we do, and who we use.’ ” Crafting a Breach Response Have a communications team and a response plan in place so that you can react quickly if a data breach occurs, says Rick Kam, president and co-founder of Portland, Ore.-based ID Experts, which specializes in data breach response software and management. “Identify a single spokesman, whether it’s the CEO or another C-level executive. People want to know whether they’re at risk of falling victim to identity theft, so what

20

“It’s your mission to prevent anything from happening, detect and remedy it if it does, and minimize the damage. The confidence that you build is going to be based on those actions and on an open pattern of communication.” Benn Konsynski, Emory University

happened, when it happened and where people can go for information needs to be crafted before a breach so that when it occurs, you’re ready.” Get other departments involved in the communication plan, Goddijn says. “IT, legal, leadership and marketing people all need to work together anytime there’s a large breach. Everybody needs to know what’s going on, so they can make decisions about how they’re going to respond publicly.” And get out in front of the media. Don’t let your data breach make headlines before you’ve had the chance to inform your own customers, Barton says. “The best thing you can do, from a PR standpoint, is come out and say: ‘We are investigating the possibility of a breach. There have been reports of suspicious activity and we’re trying to confirm the source.’ Let everyone know that there’s more information forthcoming as you investigate.” While timeliness counts, make sure that you have meaningful information to share, Goddijn says. “Don’t rush to notify people if you don’t know what’s going on and you can’t tell them who’s impacted or what kind of data was impacted, or if the situation has been fully contained. It creates the impression that things are out of control, which can foster distrust in how you’re handling the breach. You don’t want to have to go back and change your story a week later.” Konsynski agrees. “Saying that you think something happened doesn’t make any sense at all. You have to speak with certainty but not delay the messaging. You don’t want to be a minimalist, but you also

don’t want to over-dwell on it and create more alarm than there might be.” Repairing Relations If a breach really has occurred, provide your customers with a contact number, Goddijn says. “Data breaches are always at the back of people’s minds, and it affects their feelings about your brand when it happens. Recognizing that, and giving your customers an avenue to reach you so they can express their concerns, is important. Mostly, when a data breach happens, people just want to be heard.” Another way to rebuild trust after a data breach is to offer free credit monitoring or identity repair services, she adds. “It’s a good step to take to show that you’re concerned about the implications of this event.” Above all, let customers know that you’re listening, Konsynski says. “It’s your mission to prevent anything from happening, detect and remedy it if it does, and minimize the damage. The confidence that you build is going to be based on those actions and on an open pattern of communication,” he says. “The key part is getting the customer to understand that you respect their information, you only collect what you need to serve them, and that you treat that data with respect.” m •org For more on data security, check out “Protecting Their Turf” from the November 2014 issue of Marketing News, available on AMA.org.

marketing news | June 2015

MN June 2015 1-65 copy-EDIT-5-21-15 with GOld Report.indd 20

5/21/15 6:00 PM

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.