Anthony Green, CTO of cyber security firm FoxTech, discusses how to communicate with customers after a cyber attack has occurred.
The short-term costs of a cyber attack are significant. Investigating and containing a breach, rebuilding IT systems and implementing new security controls, as well as the loss of productivity, can all cause severe financial strain.
However, the long-term costs of a breach are often even more damaging. Organisations that do not handle an attack well can suffer several further consequences. For example, reputational damage, a loss of customer loyalty and a drop in share prices.
Keeping customers on the organisation’s side during cyber incidents is a key component to managing the long-term impact of a sensitive data breach.
Determine whether it is necessary to inform customers
It may not always be necessary to inform customers of a breach. The Information Commissioner’s Office (ICO) – the UK’s authoritative body for data privacy – states that it is only necessary to inform customers of a data breach if the compromised information makes them identifiable.
That means the first step needs to be an investigation. As soon as a business becomes aware of an attack, alongside working to end the incident if it is ongoing, it is vital to immediately begin an investigation of what data has been accessed, encrypted or stolen, and develop an incident report. This investigation must be carried out quickly yet thoroughly by either an in-house cyber security expert or a third-party cyber security company.
If the personal information of customers and clients has been compromised to the extent that they are identifiable, this must be reported to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. This is a legal obligation under UK GDPR. Failing to do so can lead to a fine of up to £8.7 million or 2% of your global turnover.
Personal information can include:
- Name
- Bank account details
- Location data
- Identification numbers eg. passport or driving licence
Read the ICO’s guidance on personal data breaches for full information about what constitutes identifiable personal information.
Be honest
Customers will rightly have concerns about their data being exposed. They may need to take action to protect themselves against fraudulent use of their information. Being transparent, taking responsibility and providing regular, honest communication on the breach is the best way to keep their trust in your business. Most customers won’t be knowledgeable in cyber security, so always use plain English.
Make sure customers know:
- What aspects of their data have been compromised
- What to do next. E.g. check bank accounts for suspicious payments and change passwords. Also, be alert to phishing emails appearing to be from the breached organisation.
If the investigation is ongoing and not all the information is known, be honest about that. Always update customers on new discoveries relevant to their personal information.
Set up new customer support channels
To deal with high volumes of customer enquiries, organisations may need to set up new support channels and information hubs.
When Delta Air Lines informed customers of a breach of its personal data in 2018, it created a new webpage with an overview and timeline of the breach. Plus, a FAQs section that pointed customers to communication channels. Delta Air Lines’ case is seen in the security industry as a great example of how to respond well to a data breach.
Ensure that customers know where they can go for support. Provide the contact details of your data protection officer, or whoever in the organisation is dealing with the effects of the breach.
Provide compensation
Organisations that experience good customer retention after a data breach often provide affected individuals with some form of compensation.
This could be in the form of covering any costs of securing personal information. Or, providing discounts, free services, or special offers to affected customers.
Create an open dialogue
Don’t be shy to discuss a breach once the immediate aftermath has been dealt with. Involve industry experts, clients and even the public to discuss the breach. Furthermore, demonstrate what you are doing to prevent a similar occurrence in the future. Not only does this signify your willingness to adapt and take responsibility, but it also reassures affected individuals and helps to educate other companies on why security incidents occur, and how they could minimise their own risk.
Whether or not an organisation has been the victim of a cyber attack, all companies should develop an Incident Response Plan to ensure they are prepared to respond well to a breach. See the National Cyber Security Centre guidance for creating this document. Finally, if there is no in-house cyber security expert, the report should name a third-party cyber security partner that can manage the technical aspect of a breach.