Every day it seems there is another story about a data breach. What’s troubling isn’t necessarily the number of breaches, but the news of recent companies that knew of a breach and did not inform their customers. Reports of companies that failed to report breaches for years are becoming commonplace. I read a story yesterday about a company that knew of potential problems for years and did nothing. Amazing.
Communicating a security breach to your customers to tell them that their personal information has been stolen is a difficult thing to do. It’s a difficult time that require careful communication and expediency. It is important to be proactive and communicate the 5 ‘W’s so that your customers will understand and feel supported when receiving this difficult news:
When did it happen? Be as specific as possible about the timing of the data breach. If it occurred during a specific timeframe, let then know and let them know the timeframe in which the breach may have gone undetected.
Why did it happen? Was the breach due to a security oversight or was there a flaw in a critical system component (e.g. Heartbleed)? It is important to call out why the breach occurred so customers understand that you know he reason their data was stolen. Not communicating this will lead to additional uncertainty around your company’s brand.
Who did it? Was this an external hack or was it data stolen by an employee? Let your customers know as much as you can.
Where did it happen? Was this local to an individual retail outlet or on a specific country website? Narrow down the geographic location to help alleviate any unnecessary uncertainty.
What are you doing about it? What actions are being taken from an IT perspective? Will you be offering your customers credit protection if their card data was stolen? Discounts on future purchases? Are you working with authorities to track down the perpetrator? Be as specific as you can be, especially when it comes to how you are protecting your most precious asset, the customer.
As a colleague of mine likes to say, “Take your pain early.” There’s no better approach when communicating news of a data breach to your customers.