When Data Breaches Happen: 5 Steps for Prevention, Response, and Recovery

Customer Experience
Customer Experience
Data breaches can turn into data disasters for organizations unless they properly prepare for and address the violation through a solid recovery strategy.

Customer data is helping organizations engage with their clients in more personalized and relevant ways. But while more data allows organizations to better interact with customers, it also increases their responsibility to safeguard this information and keep it from falling into the wrong hands.

Unfortunately, data breaches have become a regular occurrence, with even high-profile companies experiencing cracks in their databases. Just a few days ago Twitter revealed that a staggering 250,000 user accounts might have been compromised by hackers. Last year Zappos fell victim to a data breach that affected more than 24 million customers, and at Barnes & Noble hackers stole credit card information of customers who shopped from more than 60 stores. "Organizations need to accept the fact that if they have any sensitive data, they are a potential target," notes Olga Spaic, Metia's manager of analytics.

Such occurrences are underlining the need for organizations to have a concrete plan in place to deal with data breaches, says David Fowler, chief deliverability officer at Act-On. Venkat Viswanathan, CEO of LatentView Analytics, agrees. "Attackers are becoming very savvy in finding a way around and accessing information," he says. This is compounded by the high value of customer data, which, according to Mark Bower, data protection expert and vice president at Voltage Security, is an efficiently traded commodity and after a breach is often advertised online for other attackers to use. "When this happens, the business impact can be devastating and disruptive, and to a customer it could be the trigger to end the business relationship to move on," Bower says. This makes it imperative for organizations to prepare for such situations with a well-defined plan that addresses various elements and guides them through the whole process.

As experts point out, most organizations have plans for various disasters, like social media controversies or natural catastrophes. Data breaches should be afforded the same thought and planning. Peppers & Rogers Group founding partner Don Peppers recommends putting together a checklist of actions that need to be taken as soon as a data breach is identified, making sure that no necessary steps are forgotten.

Regaining and maintaining customer trust is a main reason for organizations to properly address data breaches and ensure that customers don't feel the company is keeping them in the dark about a situation that could impact them negatively. Experts share five vital steps that will help organizations to be agile in reacting to data breaches and retain their customers' trust.

  • Set up an immediate response team: While IT experts are best placed to understand what a breach entails, its extent, and how to stem it, organizations need a cross-departmental team, including PR professionals, to mitigate any negative brand sentiment by properly and immediately reporting the issue and communicating the steps the company is taking to resolve it. The team members should be identified before a breach occurs, allowing the company to start addressing the issue immediately and making sure that all employees know their responsibilities.
  • Make a plan and test it: An organization's success in preventing and stopping a data breach depends greatly on how well it is prepared. "Have a concrete plan in place to deal with the breach that is assessed and updated regularly," Act-On's Fowler notes. Viswanathan recommends looking at previous breaches that either the company or other organizations have suffered, and make a plan based on historic data, including what other businesses have done to address a breach. The next step is to make sure that the plan actually works. The only way to determine this is to use previous or fictitious scenarios to test its efficiency, making tweaks according to the results. A plan will allow organizations to be agile at a time when they need to act quickly to keep the problem from intensifying.
  • Create a checklist: During stressful times it is not unusual for organizations to skip important steps. When there are several people working together it's not uncommon for one person to assume his colleague took care of a particular action. In order to avoid such confusion, Peppers highlights the importance of creating a checklist of things that need to be done during a data breach and, where necessary, even the sequence. It's also good to identify beforehand who will be taking care of each step. For example, the PR team might be in charge of creating proactive messaging alerting customers of the breach on the company website. Peppers notes the utility of the checklist should be confirmed by staging a "fire drill," which also indicates whether certain steps have been omitted. No matter how much thought has been put into creating the checklist, Peppers says companies would do well to conduct a drill to put the plan in play, determining which steps are appropriate and triggering ideas about what else to include. "Simulate the conditions of a breach and go through the checklist," Peppers says.
  • Keep customers informed: Keeping customers in the dark about a potential breach of their personal data and letting them find out from other sources is the fastest way to lose customers' trust. Organizations need to make sure they're the ones to tell their clients about the problem. "Acknowledge the data breach and inform affected customers as soon as possible," recommends Metia's Spaic. Immediate and effective communication will be a company's biggest arsenal to avoid losing trust. Viswanathan says a common mistake is for organizations to spend too much time trying to understand exactly what happened and attempt to solve the problem before reaching out to customers. Instead, business leaders need to communicate with customers at the onset of the breach rather than adopt a closed-door policy, waiting until they have a well-crafted response. It's also essential to keep customers continuously informed of any developments. "Communicate frequently and clearly, without being too technical, and across all channels," Viswanathan suggests. "After a breach you should embrace any and all communication channels to re-establish your position in the market, reinforce consumer trust, and dispel the negative sentiment surrounding your company," Fowler says. Recognizing that not all customers are technology savvy, organizations should give clear instructions of what they need to do, for example to change their passwords. Further, since organizations might expect an increase in the number of customers trying to get in touch with the company, they should have a plan to expand their contact center and also make sure that agents are trained to handle the incoming calls. After notifying customers of the breach Zappos, for example, took the unusual action of turning off its customer service telephone lines to avoid the expected flood of calls that would leave customers waiting for a long time. In a note to employees, Zappos CEO Tony Hsieh said customers would be better served by having their questions answered by email and all hands were on deck to answer customer questions electronically.
  • Follow up outlining future precautions: In order for customers to regain trust in an organization following a data breach, the business needs to let them know what it will be doing to avoid a repeat occurrence. Fowler suggests that companies use a breach to rethink their privacy strategies and revamp their privacy and compliance policies and vendor contracts to make sure all possible data touchpoints are covered. As much as possible, these policies should be shared with customers, letting them know that the organization is taking action to avoid similar occurrences in the future.

While data breaches cannot always be avoided, the way organizations react to such occurrences will be instrumental in determining whether they retain their customers' trust or lose it and harm their business.