Data Breach: It’s not what you tell your customers. It’s how you tell them

Businesses often think that a data breach can bring down a company. That’s factually correct – it can. Financially it can be crippling, especially if you’re an SME or a start-up. But it’s actually the way your customers are treated that will reputationally make or break you. Having to be the bearer of bad news – such as telling someone their data has been lost or compromised – is never a comfortable thing to do. But it’s how you tell your valued customers that’s key.

How to break the news?

The ‘how’ starts when you decide what method you’ll use to inform consumers a breach has happened, and their personal data has been exposed. Our recent research shows that 69%* of people would be discouraged from using a company following a breach. Your next steps are, therefore, pivotal. Will you send an email, an SMS or a letter? Interestingly, the answer is less obvious that you might think….

Mail, above all?

During our years of experience dealing with all shapes and sizes of data breaches – from devastating cyber-attacks, to small-scale paper events – an old-fashioned letter, can be the most effective and trustworthy way of informing your customers. It does take longer than an email or an SMS, of course. The challenge is an email can create a feeling of heightened lack of trust in the customer, who could review it as a scam. They may even ignore it altogether. The same goes for a text message. These are still options, but assessing the scenario will denote what’s best in each individual case.

Your trusted brand

A formal letter, with your logo, typeface – your recognised branding, essentially – will act as trusted source of information, during quite a turbulent time. It puts your customers first, by showing you’re taking the situation very seriously. And this is where a third party can help. It can create a first draft of a pre-determined notification letters. Your key core messages will be clear and premeditated, and it will take the legwork away from you. This way, you will also be aligning to expectations around GDPR notification and putting the customer at the heart of the response and will be more prepared to act quickly should a live incident occur. It will also give you some much needed breathing space to focus on crisis communications and getting the business back on its feet.

Clean data

However, if your customer records are not up-to-date, it doesn’t matter which method you use to notify people. If an email or home address is no longer right, you won’t reach your customer, and they’ll be in jeopardy without knowing it. Our recent research has shown that 53% of businesses do not have clean customer or employee data. Frequent data cleansing – such as address verification and mortality checks – makes good business sense. Again, a third party can do this on your behalf, throughout the year.

Above all, it’s about putting your customers at the heart of your response plans. Preparing for the worst, but hoping for the best is also a good strategy. But simple preparation well ahead of time – often with the help of a third party – will put your business in a strong position in a time of crisis. Ultimately, how you decide to inform your customers will determine your future relationship with them – and the future success of your business.

Find out more about how Experian help organisations put readiness plans in place so they can know, prepare, and recover with confidence in the event of a data breach.

Read our whitepaper: Readiness vs The Reality

And our Data Breach Response Guide

Our research

Experian commissioned research consultancy ComRes to shed new light on this constantly evolving topic, backed up by new statistics. ComRes is a member of the British Polling Council.

On behalf of Experian, ComRes conducted an online survey of IT business decision-makers at small, medium and large businesses in Great Britain (Online) in January 2017, across a variety of sectors (including manufacturing, arts and recreation, business and finance). Respondents were either: involved in the decision-making of their company’s data breach management, or were aware of data breach management if they were not directly involved. All respondents work for businesses that hold personally identifiable information (PII) data for 100 or more customers or employees. The 200 professionals questioned were from the following sized companies: 50 from small businesses (1-49); 50 from medium-small businesses (50-100); 50 from medium-large businesses (101-250); and 50 from large businesses (250 or more). It is important to note that when comparing figures from the business survey this year with 2016 findings, only SMEs were questioned last year, and not large businesses. At the same time, ComRes also surveyed 2,001 British adults to obtain a wide and varied comparison of what business decision-makers think in contrast to the public – or, in other words, their (potential) customers.