We hope that your business is never victim of a security or data breach. But, with some studies suggesting [updated for 2017] that not only are data breaches increasingly common, but increasingly expensive as well, it’s important to prepare. And part of that preparation includes knowing what to say — and what not to say.
Here are some Dos and Don’ts that might help guide your response:
- Get your story straight. Get as many facts and answers as you can. Decide what you’re going to say, who you’re going to say it to, and how you’re going to say it. A pre-announced briefing for the media is probably not going to be on your agenda. But even if you’re sending a letter to affected customers or posting an announcement on your website, get it right the first time.
- Talk to your lawyers and get the best advice on what your legal obligations are. That’s because you will have legal obligations. And risks. There are numerous laws and regulations that can dictate your response to a breach, and a good lawyer should be able to guide you.
- Talk to your employees and prep them for the fallout. Don’t let them be the last to know, because the data breach and any resulting publicity will affect them too. Especially if the breach was as a result of employee error – which it often is.
- Assign one person to be the spokesperson. It’s always helpful to put a trusted, friendly face or voice to your communications, so find one and stick with it. Who tells your story, and how they tell it, can be just as important as the story itself. Ideally you should be that face, because it suggests you’re personally accepting responsibility and not hiding.
- Be contrite and honest, and even position yourself as a victim, too. Let’s face it, even if you invest all you can in security there’s a still a chance that you’ll fall victim to some kind of breach. Which means you may be just as much a victim as your customers. As part of your communications, make sure you make it clear that while you did everything you reasonably could you’re still very sorry this happened. And you’re going to see if there’s anything you could have done better.
- Try to hide or bury it. Data breaches won’t go away. Apart from legal obligations that may require you to make a public announcement and contact all of your customers individually, hiding or minimizing is usually interpreted as greater guilt.
- Say it’s no big deal because no Social Security or credit card numbers were stolen. Your customers know more about data breaches than you think, because they’ve been through so many. Any kind of personal information is of value on the black market, including names, addresses, phone numbers, shopping history, purchasing preferences, email addresses, and especially email passwords.
- Delay news and updates longer than you have to. Often the thing your customers will hold against you most or longest is any inexplicable delay in notifying them that their personal information has been exposed. Not only do delays suggest you’re trying to hide something, they make customers angry because it deprives them of the opportunity to respond faster to protect themselves from something they feel you were responsible for.
- Make it hard for your customers to get answers and facts. In some of the biggest and most publicized data breaches, the businesses involved have been criticized for hiding the information on their website. The harder you make it for your customers to find the answers and facts, especially on your website, the angrier you’ll make them.
- Hide behind your lawyers. Fairly or not, lawyers are not exactly the most popular professionals. And while your lawyer might be very eloquent and able to carefully answer any questions, angry customers won’t be impressed. Ideally they like to see the top dog, the boss of all bosses, AKA you. It doesn’t mean you have to be there all the time. But simply adding your photo and name to any announcements or updates can make them much more personal and believable.
- Announce that you’re finally going to get serious about security. It was only after its massive data breach that affected more than 70 million customers that Sony Corporation announced that it would finally appoint a Chief Information Security Officer. Even though the company had been at the leading edge of technology for half a century. How that translated to the public was that Sony never took security and privacy as seriously as it should have, which probably contributed to the breach.
You’re wasting your time seeking absolute security — it does not exist. But not defending yourself (and your customers) is not an option – use multiple layers of security that give you the best protection possible and demonstrate that you really are serious about security. Explore the variety of security solutions that SiteLock provides for sites of all sizes and functions. And if the worst should happen to you, be prepared.