As the public grows somewhat used to data breaches, simply having to acknowledge one might no longer be devastating to customer relationships, but how and when to communicate remains critical to damage control, a data security expert said in a recent webinar.
In 2005 or 2006, when customers would be notified of a breach, “many would walk,” said Jon Neiditz, an attorney with Nelson Mullins Riley & Scarborough LLP. “But now we’re besieged with all these big incidents,” and there’s a broader recognition that systems are vulnerable, he said.
“It may well be that per-breach costs are going down” as intangible costs such as brand damage decrease, but response, mitigation and legal costs still can be substantial, Neiditz noted. “There are many events where organizations have gone into the millions of dollars” after running afoul of regulators or being hit with a class action.
“Any of these things can be managed well or badly,” Neiditz continued; “the cost on the tail end is much greater” than getting it right on the front end. “You need to be ready very quickly with good communication,” he said, because getting good information out after an incident “is absolutely critical.” This should be part of an incident response plan that’s in place ahead of time.
Of course, this shouldn’t detract from the need to have good security in the first place, so “you have a good start on a defensible narrative” that will help salvage trust, Neiditz said. “We’re in a world where there’s tremendous knowledge about marketing, trust-building and customer service,” he added. “Just satisfying the regulatory requirements won’t enhance trust.”
For example, laws like the HITECH Act require notices to include certain information on the breach that may take time to gather. But that doesn’t mean you can’t send something else out right away that’s targeted at containing the problem — and, if possible, tailored to the individual recipient as well, Neiditz said.
For example, after a recent breach of credit card information, a company sent an e-mail alerting cardholders to check the activity on their account and cancel their card if there was anything suspicious, Neiditz noted. “As the stigma of breach has gone down, there’s more opportunity for strong, direct communications” that minimize harm.
Neiditz, an advisory board member of Thompson’s Employer’s Guide to HIPAA Privacy Requirements, spoke Oct. 12 in a webinar presented by ID Experts.