Responding to a breach is not just about data, it is about taking care of, and protecting, customers
The new General Data Protection Regulation (GDPR) has shone a light on how businesses prepare for, and respond to, a data breach.
With cyber criminals becoming increasingly sophisticated, the majority of organisations realise a data breach is simply a matter of when, not if. The most robust cyber defences operate and evolve on this basis but, when faced with such an incident, many firms will instinctively focus their resource and efforts on containment, rather than on their most important asset: their customers.
Once the data is gone, it is the customers who need protection. As the very visible outcome of the breach takes hold, organisations with significant customer databases that do not prioritise customer needs risk magnifying the crisis exponentially. This could include the triggering of regulatory fines but also customer loss, a hit to brand reputation, trust and, potentially, even share price.
There are key steps a business can take to ensure readiness and enable an effective, customer-centric response during a breach.
Pre-breach: expect the expected
GDPR states that firms are mandated to put in place appropriate “organisational measures” as part of their breach preparation. These measures include the notification to customers ‘without undue delay’ of any breach that is likely to create a privacy risk for them. At the same time, the risk to customers caused by a breach makes protecting them a key priority.
The risk, for customers begins in the immediate period after the breached data is exfiltrated. Criminals are not just using the stolen data to potentially access customer accounts but also looking to defraud them through phishing emails and call scams.
Notifying customers quickly about the breach is the first step. Supporting and protecting them in the days and weeks following the incident is what really counts. And it can be over weeks or months as the data is not always used immediately.
So, timeliness is important when mobilising a breach response – GDPR’s 72-hour notification window reinforces the need to set into motion an operation of the scale and capability required to provide an adequate customer response along similar timelines. If unprepared, this becomes a highly visible, high-risk race against time to enact a complex operation of notification.
Resource pressures now appear. Breaches lead to a big spike in customer enquiries and concern, placing huge demand on internal operations – which are already delivering other services. Having enough resources to continue “business as usual” operations alongside setting up an effective breach response is an enormous challenge.
Coping with the surge in worried customer calls could lead to long “call waiting” queues which can very quickly transition to negative social media commentary and press coverage about frustrated customers being ignored.
A range of specialists
In addition to resource issues, a data breach also requires an extensive range of specialists to support a successful customer response. This ranges from experts in customer messaging to social media analysts, operational specialists, identity protection and forensic investigators. This army of support must be coordinated and managed with military precision to ensure the right level of support is delivered to the customer in the most appropriate way and in a timely manner.
Finally, having the key infrastructure in place to support a fast breach response is critical. The telephony capacity and routing to handle the spike in customer calls, mass printing and mail-out capability, database cleansing and management all need to be ready to go live with supporting contracts already in place. This is work that must be concluded before any breach takes place; resources identified, capacity identified and contracted, customer support readiness planning and exercising conducted.
Post-breach: minimising the impact on customers
The outcome of a breach response is ultimately determined by two factors: the speed of notification and the quality of response. Successful plans recognise the volume of trained resource required to be in place to enable every one of the businesses “at risk” customers to be notified, their questions and concerns addressed and any suspected fraudulent activity remediated through identity repair advice.
To be truly customer-centric, this should include the ability to handle high-volume first class mail, a high-capacity incident response website, a phone system able to quickly and securely route customer calls and emails, and an identity protection platform.
The quality of the customer notification response is, unsurprisingly, determined by the level of specialist skills and experience of the customer response team.
Far from being a “one off” activity, customer support staff should have specialist knowledge and crisis experience. This could mean the difference between a positive and negative customer experience, or between retaining their loyalty and a reputation-damaging customer loss headline.
While some customers will simply want to know what has happened and why, others may believe they have been personally attacked or have other worries about their online identity. The scope of concerns will be wide across an audience with significantly different levels of understanding of the digital world and the realities of cyber risk.
The quality and awareness of a firm’s customer handling staff in the contact centres is key. Their ability to triage the needs of different customers, provide identity protection advice and support, as well as help with identity repair will become the central tenet of this customer engagement. In many cases this is outsourced to professionals to speed action, improve customer care and do this work all the time.
Complementary to this is having a full identity protection strategy in place. This should encompass everything from access to credit monitoring and fraud alerts to specialist identity repair support services. In a vulnerable, post-breach scenario, this can do much to alleviate customer concerns and reassure them that everything is being done to support and protect them.
Failure to care for the customer is failure to manage the reputation.
It is almost inevitable that organisations will find themselves facing a data breach at some point, but it is not inevitable that the consequences include customer migration to competitors. Best practice customer breach support protects customers, minimises regulatory and reputational risk and reduces the overall financial impact of a data breach.
Deploying this at the pace required by customers and dictated by GDPR is only possible with effective planning before any breach occurs – ensuring that the right expertise is available to cope with the volume of customer queries, and that secure and scalable infrastructure delivers the best service to those who determine the future of the business – the customers.
Taking a customer-centric approach to planning for and responding to a data breach is the key to ensuring a positive outcome for organisations and their customers alike.
written by Dominic Cockram (Deloitte) for ComputerWeekly.com
Photo Credit: Convert GDPR