Friday, December 29, 2006


We often talk with businesses about protecting their customers after their business data has been stolen, lost, hacked, or compromised. Consumers are required by law to be notified when their personal information such as name, address, and social security number (SSN) have been compromised and failure to provide timely notification caries heavy fines and penalties.

The responses by businesses vary from simple notification of a breach containing minimal information to advanced protective services provided by the business for the “at risk” consumer

What should a business do when faced with a breach of consumer data? Complying with the law is one thing, but retaining valued customers is another thing entirely. If customers are valued, then minimal protection will undoubtedly result in the loss of those customers. A fully formed protection program, while challenging, may actually bond the business closer to its customers as the business demonstrates care and competence in managing this very real crisis.

Here is a list of things that will ensure that customers lose confidence in a business which is sending a breach notice:

A simple notice of breach, without explanation and with no remediation

To assure customers that you care about the breach you must explain in simple terms what happened, what you have done to correct the breach, and if the breach was intentional or inadvertent. Most breach notices, written by lawyers afraid of litigation, will say nothing about corrective action, your competence to deal with the crisis, and your loyalty to customers. A business that sends a minimal breach notice will undoubtedly scare their customers and who may well take their business elsewhere. Customers often need someone to talk to who can assure them that competent and speedy action has been taken to provide protection.

A simple notice of breach with minimal explanation and a free credit monitoring service.

Credit monitoring provides no meaningful protection to customers if their information has been compromised. Customer information is stolen for many types of crime. For example false employment crimes, IRS fraud, Medical Benefits Fraud and over 75 other types of identity theft related fraud are undetected by credit monitoring. In other words more than 75% of all identity fraud cannot be protected by credit monitoring. Further credit monitoring services detect credit card fraud only after the fraud has occurred and the consumer is left to clean up the mess. Think of a fire alarm that goes off after the house has burned down – that’s the value of credit monitoring. Consumers are lulled into thinking they are protected by these services, but as recent press coverage (see comments on press coverage in our other blog entries) has shown, consumers become very very angry when the identity thieves strike and their imagined protection proves worthless.

Here is a program that will work and will demonstrate competence and care of valued customers.

-- A brief and timely explanation of details of the breach without providing information of value to thieves. When did the breach occur? What have you done to keep breaches from happening again (e.g., new security measures, fired a sub-contractor, employee training programs, etc.) Was the breach intentional – was the information targeted for theft or simply lost or misplaced. A missing back up tape presents on set of challenges to a consumer, but a broken window and a smashed file case with selected records missing is something entirely different. Even worse is a targeted and hacked computer database.

-- Consumers need assurance that you are competently protecting their interests. They need a human to talk to about the breach. Both at the company whose data was breached and at a company which provides protective services. Consumers need to know that the business cares, and that identity theft prevention, detection and recovery experts are available to discuss their concerns and to take action. Disembodied phone trees with endless recorded messages are certain to make the customer more angry that they were when the received the breach notice.

-- A program that addresses all the avenues of crime that the loss of customer data enables is required. In addition to credit crimes, these include false employment fraud (the most common form of identity theft and devastating to consumers in the long run), medical benefits fraud, IRS fraud, bank theft and forgery, Drivers License fraud, immigration frauds, and many many others. While it may prove impossible to protect customers entirely following a breach, systems which prevent, detect, and have recovery procedures in place for these crimes is critical in keeping valued customers.

-- Rapid reaction and response, if a consumer is defrauded, is a major requirement and is missing from almost every program available today – such as credit monitoring programs. The customer needs a hot line and a trained identity theft expert available in a timely fashion to respond to hints of fraud or to actual fraud. If a business values its customers it will not leave them in the cold when the identity thieves strike.

Acquiring and keeping satisfied customers is a high priority for almost every business. Business managers should treat breaches of customer data using the golden rule. How do you want to be treated as a business person if another business looses control of your personal information? How would you feel if you were essentially told you were on your own, or given security tools which simply were unable to provide any meaningful safety to you or your family? A business data breach is ugly, but it provides an opportunity for the business to demonstrate that it values its customers and that it is competent in protecting them in the future. In other words it is a business that is worthy of continued patronage.


Post a Comment

<< Home

Blog tracker