Anthony Green, of cyber security firm FoxTech, explains how to communicate with customers after a cyber attack.
The short-term costs of a cyber attack are significant. Investigating and containing a breach, rebuilding IT systems and implementing new security controls, as well as the loss of productivity, can all cause severe financial strain.
The long-term costs are often even more damaging. Organisations who do not handle an attack well can suffer further consequences, including reputational damage, a loss of customer loyalty and a drop in share price.
Keeping customers on your side during such incidents is a key component to managing the long-term impact of a sensitive data breach.
Is it necessary to inform customers?
You may not always have to inform customers of a breach. The Information Commissioner’s Office (ICO) – the UK’s authoritative body for data privacy – states that it is only necessary to inform customers of a data breach if the compromised information makes then identifiable.
“That means the first step has to be investigation. As soon as a business becomes aware of an attack, alongside working to end the incident if it is ongoing, it is vital to immediately begin an investigation of what data has been accessed, encrypted or stolen, and develop an incident report. This investigation must be carried out quickly and thoroughly by an in-house cyber security expert or a third-party cyber security company.
If personal information of customers and clients has been compromised to the extent that they are identifiable, this must be reported to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. This is a legal obligation under UK GDPR and failing to do so can lead to a fine of up to £8.7m or 2% of your global turnover.
Personal information can include:
- Bank account details.
- Location data.
- Identification numbers e.g. passport or driving licence.
For full information about what constitutes identifiable personal information, read the ICO’s guidance on personal data breaches.
Customers will rightly have concerns about their data being exposed. They may need to take actions to protect themselves against fraudulent use of their information, so being transparent, taking responsibility, and providing regular, honest communication on the facts of the breach is the best way to keep their trust in your business. Most customers won’t be knowledgeable in cyber security, so always use plain English.
Make sure customers know:
What aspects of their data have been compromised.
What to do next: e.g. check bank accounts for suspicious payments, change passwords, be alert to phishing emails appearing to be from the breached organisation.
If the investigation is ongoing, and not all the information is known, be honest about that. Always update customers of new discoveries relevant to their personal information.
Set up new customer support channels
To deal with high volumes of calls and customer enquiries, organisations may need to set up new customer support channels and information hubs.
For example, when Delta Airlines informed customers of a breach to their personal data in 2018, the company created a new webpage with an overview and timeline of the breach, as well as an FAQs section which pointed customer to communication channels. Delta Airline’s case is seen in the security industry as a great example of how to respond well to a data breach.
Ensure that customers know where they can go for support. Provide the contact details of your data protection officer, or whoever in the organisation is dealing with the effects of the breach.
Organisations who experience good customer retention after a data breach often provide affected individuals with some form of compensation.
This could mean covering any costs of securing personal information, or providing discounts, free services, or special offers.
Create an open dialogue
Don’t be shy to discuss a breach once the immediate aftermath has been dealt with.
Involve industry experts, clients and even the public to discuss the breach, and demonstrate what you are doing to prevent a similar occurrence in the future. Not only does this signify your willingness to adapt and take responsibility, but it also reassures affected individuals and helps to educate other companies on why security incidents occur, and how they could minimise their own risk.
Whether or not an organisation has been the victim of a cyber attack, all companies should develop an Incident Response Plan to ensure they are prepared to respond well to a breach. See the National Cyber Security Centre guidance for creating this document. If there is no in-house cyber security expert, the report should name a third-party cyber security partner who can manage the technical aspect of a breach.
It is only necessary to inform customers of a data breach if the compromised information makes then identifiable. ICO’s guidance on personal data breaches: What is personal data? | ICO
Delta Airlines Case Study. Radware blog: Delta Air Lines Security Breach: Case Study on How to Respond (radware.com)