How to Minimize the Impact of a Data Breach

ID Experts' Rick Kam describes a customer-centric action plan

Thirty-one percent of customers—nearly one-third of a company's client base and revenue source—are terminating their relationship with organizations following a data breach, according to a recent study by the Ponemon Institute.

Sound the customer retention alarm.

When it comes to a data breach, companies are making some major mistakes and as a result, customers are beating the street—potentially paving a pathway for your fiercest competitor.

The good news is you can prevent it and avoid the costly impact of a breach: first, by putting a proactive plan in place and second, by adopting tactics that maximize retention.

The high-cost impact of a breach

It seems as if every day we are hearing about another corporate data breach, and in fact, we are. In the first quarter of 2008, 167 breaches were reported to the Identity Theft Resource Center—more than double the first quarter of 2007. Last year alone saw the exposure of nearly 128 million personal records.

With the Computer Security Institute reporting that 46 percent of computer security professionals have had security incidents in the past year, 26 percent of which have had more than 10, you begin to see the magnitude of the problem. The repercussions—and potential for customer revenue loss—are costly. According to a 2007 study by the Ponemon Institute, the average cost of a data breach is $6.3 million. Sixty-five percent of this cost is the direct result of lost business, including customer termination—a rate that is increasing by 30 percent a year. These costs still do not include the additional cost of acquiring customers to replace the ones lost—estimated at five to 10 times the cost of retention—requiring even more investment on your company's part.

All this amounts to an unpleasant picture, one where current practices in breach response are falling short in keeping your customers, and therefore revenue, within your company.

Legal obligation vs. Customer satisfaction required to do, and what they should do to retain customers and their revenue.

Recent research by the Ponemon Institute, the Consumers' Report Card on Data Breach Notification, has provided some of the most useful information to date to help organizations determine the most effective techniques to minimize the impact of a breach and to retain customers. A key takeaway from this research is a large gap between what companies are

Forty-three states, as well as the District of Columbia and Puerto Rico, require organizations to distribute some sort of notification to populations affected by a data breach. However, these laws do not address customer satisfaction or necessary components of a response to keep customers.

Key steps in minimizing the impact

Based on the Ponemon study's findings, organizations should consider the following in order to minimize customer churn following a breach:

  1. Create a response plan or review your current one. Have a thought-out and actionable plan in place so your post-breach response can be as effective as possible. This is not time to play Russian roulette with the 31 percent of your customer base who is ready to walk away. For generations, the Boy Scouts have said it best with their motto: Be Prepared.
  2. Deliver timely and forthright notification. Large delays in notification signal to your customers that you are hiding something and/or they are not important to you, despite some realities that it takes time to assess the impact of a breach. Although it may not be possible to notify customers within a week, or even several weeks following a breach, your goal should be to notify them as soon as possible, with what reasonable information you can divulge at that time.
  3. Provide complete and believable information. For many of your customers, a breach itself will be enough reason for them to walk. But for others, the quality of information you provide will be the key determinate in their decision to stay. Within your notification, be sure to provide your customers with clear and concise information about the breach, including specific details on how the breach will affect them. Is their personal information in the hands of identity thieves? Do they have to close their credit card accounts?
  4. Develop your messaging, then rethink it. And rethink it again. Many respondents in the Ponemon study found communications to be unbelievable or misleading, failing to reduce their fears about potential harms they faced because of a breach. Even if you are being factual, think of how you are stating those facts. Notification letters and public communication about the breach are crucial in determining customers' reactions, and you must carefully teeter the fine line in your communications between being firm yet friendly, and concerned yet in control and taking responsibility.
  5. Act as an educator. Although you are the barer of bad news, you also have the opportunity to be the barer of solutions. Lay out for your customers the next steps they can or need to take after they are notified. Include information, phone numbers and Web sites on freezing credit files, getting free credit reports and other tips customers might want to know and follow. At little or no cost to your organization, acting as an educator will not only help your customers recover from the incident, but maintain your organization as a trusted source.
  6. Consider offering free or subsidized identity protection services. Offering identity protection services has proven to have a positive effect on customer retention, and in many cases, offering such services is more affordable than new customer acquisition strategies. Individuals who receive free or subsidized services, such as credit monitoring, identity theft insurance or identity recovery services, feel less concerned and worried about the breach after it happens. Similarly, customers who receive these services are also less likely to terminate, or consider terminating, their relationship with your company.

A customer-centric response approach

To maximize customer retention following a data breach, you must notify your customers in a timely fashion, be honest and thorough in your communications, provide useful and relevant information on next steps, and if appropriate and affordable, offer services to protect your customers from harm and address their fears of becoming victims of identity theft.

This customer-centric approach to breach response will help you prevent costly customer churn and, in turn, minimize revenue loss. ##

Rick Kam is President of ID Experts, a provider of identity theft protection and data breach services for consumer and corporate customers.

Copyright © 2008 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations