How to tell your customers that you've been hacked [Q&A]
The short-term costs of a cyberattack are significant. Investigating and containing a breach, rebuilding IT systems and implementing new security controls, as well as the loss of productivity, can all cause severe financial strain.
However, the long-term costs of a breach are often even more damaging. Enterprises that do not handle an attack well can suffer a number of further consequences, including reputational damage, a loss of customer loyalty and a drop in share prices.
We spoke to Anthony Green, CTO of cyber security firm FoxTech, about how to keep customers on an organization's side after a cyberattack has occurred.
BN: How do you determine whether it's necessary to inform customers of a data breach?
AG: It's true that it isn't always necessary to inform customers that an attack has taken place. The Information Commissioner’s Office (ICO) -- the UK's authoritative body for data privacy -- states that it is only necessary to inform customers of a data breach if the compromised information makes them identifiable -- this includes names, date of birth, bank details, and identification numbers on a passport or driving licence. The ICO has a guide to what constitutes as identifiable personal information.
To determine whether information that reveals a customer's identity has been taken, the first step needs to be investigation. As soon as a business becomes aware of an attack, alongside working to end the incident if it is ongoing, it is vital to immediately begin an investigation of what data has been accessed, encrypted or stolen, and develop an incident report. This investigation must be carried out quickly and thoroughly by either an in-house cybersecurity expert, or a third-party cybersecurity company.
BN: If personal data has been taken, how quickly should it be reported to the ICO?
AG: Personal data breaches must be reported to the ICO within 72 hours of an organization becoming aware of the breach. This is a legal obligation under UK GDPR, and failing to do so can lead to a fine of up to £8.7 million ($9.74 million) or two percent of your global turnover.
BN: How should a business go about informing their customers of a breach?
AG: The most important thing is to be honest. Customers will rightly have concerns about their data being exposed. They may need to take actions to protect themselves against fraudulent use of their information, so being transparent, taking responsibility, and providing regular, honest communication on the facts of the breach is the best way to keep their trust in your business. Most people aren't knowledgeable in cybersecurity, so always use plain English.
Make sure customers know what aspects of their data have been compromised and what to do next. This could be checking bank accounts for suspicious payments, changing passwords, or looking out for phishing emails appearing to be from the breached organization.
If the investigation is ongoing and not all the information is known, businesses should be honest about that, updating customers of any new discoveries relevant to their personal information as they are revealed.
BN: Do organizations need to make provisions for extra customer support channels?
AG: To deal with high volumes of calls and customer inquiries, organizations may well need to set up new customer support channels and information hubs.
When Delta Airlines informed customers of a breach to their personal data in 2018, the company created a new webpage with an overview and timeline of the breach, as well as an FAQs section which pointed customers to communication channels. Delta Airline's case is seen in the security industry as a great example of how to respond well to a data breach.
Ensure that customers know where they can go for support. Provide the contact details of data protection officers, or whoever in the organization is dealing with the effects of the breach
BN: Are businesses required to offer any compensation to affected customers?
AG: It's not a legal requirement, but organizations who experience good customer retention after a data breach often provide affected individuals with some form of compensation. This could be in the form of covering any costs of securing personal information, or providing discounts, free services, or special offers to affected customers.
BN: Any final advice?
AG: Don't be shy to discuss a breach once the immediate aftermath has been dealt with. Involve industry experts, clients and even the public to discuss the breach, and demonstrate what you are doing to prevent a similar occurrence in the future. Not only does this signify your willingness to adapt and take responsibility, but it also reassures affected individuals and helps to educate other companies on why security incidents occur, and how they could minimise their own risk.
Finally, whether or not an organisation has been the victim of a cyber attack, all companies should develop an Incident Response Plan to ensure they are prepared to respond well to a breach. There's National Cyber Security Centre guidance for creating this document. If there is no in-house cyber security expert, the report should name a third-party cyber security partner who can manage the technical aspect of a breach.