Smart business people know that they must secure their systems to withstand the most determined and persistent real-world, as well as cyber, attacks. They must minimize their risk of exposure by deploying the most sophisticated security and anti-malware software, using outside firms to frequently penetration-test their cyber defenses, continuously training their employees to comply with the most stringent security protocols, investigating every vendor and installing state-of-the-art physical security equipment. They must obsessively monitor all of the above. And then, be prepared to manage the damage when the all-too inevitable breach occurs. But in between the technology, training and tracking, it’s all too common to forget one key factor: preparing to deal with the emotions of those customers or employees whose data have been compromised.
Anyone whose data is accessed and exposed in a breach is going to be shocked, scared, concerned and/or angry, at the very least. But while hackers and thieves anonymously lurk behind avatars and screen names selling the pilfered data on black market sites, victims of your breach will have another target (pun intended) for their outrage: you.
Now you can talk ad nauseam about your sophisticated technology and tireless training – no doubt boring most anyone who will listen with the specifics (or at least the details that your lawyers or law enforcement officials will allow you to disclose) of everything you did right and how the bad guys snaked you anyway. But the fact of the matter is that as bad as the breach is for your business, there will be a whole lot of good customers, employees and clients out there whose financial lives are about to be disrupted – with no notice – and whose future lives could well be rocked by identity theft for no reason other than they chose to patronize your business.
Treat Your Customers As You Would Want to Be Treated
Every business must build urgency, transparency and empathy into its breach planning.
What does that mean? For one, you shouldn’t wait until you are outed by reporter Brian Krebs to properly inform your customers. Instead, like Kickstarter did, notify your customers the minute the hole in your system is plugged and the existence of actionable damage is confirmed. The best way to help your customers and maintain your relationships with them is to treat the situation with a sense of urgency. Your security hole might be plugged but, with their data stolen, theirs is open as long as you keep quiet.
Next, be as transparent as possible — without harming any ongoing law enforcement investigation. Acknowledge what you know about the breach, how you suspect it will affect your customers and what you concretely plan to do to remedy the damage your data breach has done to them. Portraying the criminals who hacked your system as sophisticated computer geniuses who broke into a heretofore impenetrable system is only going to backfire when some enterprising reporter discovers that your system was accessed using off-the-shelf hacking programs and your security team ignored warnings to that effect long before anyone did anything about it.
Finally, be empathetic. While you have been (or, at least should have been) preparing for a data breach all along, your customers absolutely did not expect to have their personally identifying information or financial data fall into the hands of criminals today. Though you might know what your company needs to do to fix the problem, or how you might personally cope with being the victim of a data breach, I daresay most of your customers do not and will not. You must treat their feelings — even their anger — with respect, train your employees to do so and work to assuage their fears with information and, if warranted, credit monitoring and resolution services. For instance, the last thing they need is for you to demand additional sensitive information from them before processing their fraud claims, which will only make them feel more powerless, frustrated and angry with your company.
Frankly, all the technology you need to deploy and all training you need to implement to try to protect against a breach is probably easier than planning for urgency, transparency and empathy in your response to the inevitable breach. But as Airbnb’s Chip Conley shows, “scenario planning” can help make the difference between a response that is lambasted by the media and abhorred by your customers, and one that is praised far and wide.