When businesses are hit with data breaches, they face not only legal fees and other clean-up costs, but also potential lost business and damages to the organization’s reputation. Those costs can be significant, which is why it’s critical to respond properly after a breach.
As criminals get better at stealing data, more people are being personally affected by data breaches. At the same time, new laws have made it mandatory for organizations to report many kinds of breaches to affected people.
In a 2005 survey from the Ponemon Institute, 12% of respondents said they’d been contacted about a breach involving their personal information.
In a similar study conducted this year, that number more than doubled, with 25% of the 2,800 survey respondents saying they have been notified about a breach.
How did those data breaches affect people’s opinions of the organization? Among respondents who were affected by a breach:
- 62% said it decreased their trust and confidence in the organization
- 39% said they might discontinue their relationship with the organization
- 35% will stick with the organization as long as it doesn’t happen again, and
- 15% will or already have cut ties with the organization.
The way the organization notifies breach victims can have a big impact on how they feel — and whether they remain customers. However, just 28% of people said they were happy with how they were told about a breach.
How do customers want businesses to respond after a breach? According to the survey, organizations should:
1. Provide all the facts — People care about the security of their personal information, and when it’s at risk, they want all relevant information. However, 58% of people said the notification they received did not include all the facts and “sugar coated” the message.
2. Be clear — Just 48% of people said the breach notifications they’ve received were easy to understand. In addition, 62% said they were too long and poorly written, and 53% said they contained too much legal language. It’s important to not only present all the facts, but also do so in a way the average person can comprehend.
3. Let people know what your organization is doing — When asked what key facts were missing from breach notifications, 51% of respondents said they weren’t told about the protections that were being provided to protect victims from financial damage. Offering that information will let victims know the company cares about the dangers they face.
4. Explain the risks and offer advice — Another 25% said they weren’t given information about what steps they should be taking to protect themselves. Explaining the risks people should prepare for and telling them what they can do will help reduce fear and confusion.
5. Offer financial help — Most people believe a data breach will make it likely that they will be the victim of identity theft. Therefore, the majority expect some kind of reimbursement, with 63% saying they should get cash or free products or services. While that may not be realistic, 56% said organizations should offer credit monitoring services to breach victims, which is a step many experts recommend.
For information, download Ponemon’s study here.