Thales eSecurity Blog

When It Comes to a Data Breach, How Do You Want to Be Notified?

August is two-thirds of the way through the year, and we have already seen a number of serious, far-reaching data breaches making headlines, some occurred in 2018, and some from 2017 that are now being disclosed. This underscores the harsh realities of the state of cybersecurity today.

When It Comes to a Data Breach, How Do You Want to Be Notified?

If you have looked at our recently released annual Data Threat Report: Retail Edition, you understand this is not just hyperbole. The U.S. retail sector needs to come to terms with some bad news. Fifty percent of respondents reported being breached last year — that’s more than double the 19% reported the prior year. The good news? The retail sector is responding to the onslaught of breaches, with 84% of companies surveyed planning to increase IT security spending.

For companies coming to terms with the fact that they have been breached, increased investments in infrastructure and/or personnel to protect against future breaches are the tip of the iceberg.

Next comes sharing the news with those impacted.

When it comes to data breach notification laws, things can get tricky and complex, varying state-by-state. For many companies, the recently enacted GDPR represents the first time there’s a formal obligation to make data breach notifications to both a supervisory body and to affected individuals, and with a 72-hour breach notification requirement, time is off the essence.

Data breach notifications are often a delicate dance between regulatory requirements and customer experience, often resulting in less-than-perfect communications. Perhaps it’s time for companies to take a step back and put themselves in their customers’ shoes.

What would they want to hear when they’ve fallen victim to a breach? I decided to take that advice and put myself in the shoes of a customer and came up with a list of activities I’d like to see happen in the event that my personal data was compromised in a breach.

  • First and foremost, I’d like the company to be compassionate. Whether my information has been sold on the dark web or may be at risk, it’s a big deal to receive this type of news.
  • Connect me to useful resources. In plain language offer information on how to protect myself against identify theft and fraud.
  • Taking it one-step further, direct me towards reputable sites where I can access free credit monitoring and identity theft recovery services.
  • Above and beyond – offer a designated customer service number where I can get real-time information. This is the perfect opportunity for transparency and to explain in plain English that investigating breaches takes time, just like any other criminal investigation.

These are all very basic things that companies can and should be doing – yet in my experience that isn’t always the case. One example that comes to mind is a company that sent out breach notification emails, which looked alarmingly suspicious, using an unclear subdomain and directed users to click on links full of gibberish. In the crucial moments following a breach, which should be focused on rebuilding customer trust, this company instead taught a lesson on how to make an email look like a scammer’s – even though it was actually legitimate.

Given that data breaches feel almost commonplace, it’s time to recognize notification is reflective of the organization’s brand. In a time of turmoil for a brand, organization’s set the stage for the ability to recover in how they communicate with and treat their customers. Consider this communication an important step in either securing or foregoing customers’ loyalty.

Please feel free to leave me a comment below on what you’re looking forward to in 2018. You can also find me at @CindyProvin

Visit this page to subscribe to our newsletter to receive the latest data security research, insights from our blogs and other resources.