These days, when a company experiences a data breach, it is only a matter of time before it becomes public–not just to current employees, customers and business affiliates, but to the general population. Though it is hard to quantify the the cost of reputational damage, it definitely impacts a company’s bottom line.
In order to protect a company’s reputation in the face of a breach or exposure, there are factors to be considered:
Before your company fell victim to an exposure, was any preparation done to: prevent the incident from occurring? Is data encrypted? What are your password requirements – do you utilize two factor authentication? While the steps taken ultimately may not have been able to protect your customers’ data, the fact that your organization was proactive about security carries a lot of weight.
While all personal information is important, not all data is considered equal. And, when it comes to public perception, the exposure of certain information is more egregious than others. Unfortunately, there is no universal understanding of what personal information matters to each individual, but it can be assumed that it is directly correlated to the amount of access it would give a bad actor to someone’s larger identity. For example, if someone’s name and birth date are exposed, they may find it less offensive than if their name and social security number were compromised.
How a company responds to an exposure has major reputational implications. While there is no perfect way to respond and appease the masses; timeliness, honesty, lawfulness, and customer-focused solutions speak volumes.
This is a tricky one. Waiting to disclose can lead to frustration. However, failing to answer the obvious questions because of inadequate information only leads to anxiety and frustration. It also puts the company at risk of needing to change its story when new information become available. In both cases, the company looks like it is not in control of the situation. And reputation takes a hit.
That said, don’t wait for the sake of waiting. Customers will hold that against you more than your decision to wait until you had the facts.
In today’s world of social media and public reviews, potential customers have abundant resources to research any company before they become involved. And, if your current customers are unhappy with the way they have been treated, there will be significant challenges in attracting new ones. Additionally, if your employees feel left in the dark, or are unsatisfied with the way security is handled, morale will suffer – and it’s only a matter of time until that sentiment creeps out of the organization.
Legally, a company must notify any impacted customers of a data breach in 60 days or less, depending on state laws, but that is only the bare minimum when it comes to customer management. There are numerous proactive steps that can be taken, for example setting up call centers to ease the inquiry process and training customer service representatives before they need to answer customer calls, that can reassure stakeholders that the company is in control and taking the matter seriously.
This is the fourth part of the Breach 101 Blog Series: “Cost of Non-Compliance”. The other posts explore:
When your personal information is exposed, it is easy to feel that you do not have control of the situation. However, your most powerful tool can never be compromised: your voice. Whether positive or negative, it is important to share your experience of the exposure to help companies shape their reactions in the future, and inform other customers.
Data exposures have long-term impacts that don’t always have obvious price tags–but that doesn’t mean they aren’t important. While you should not prioritize your reputation over proper data breach management, it should be a factor in each step you take. One way to garner easy favor is to take extra steps to protect your customers’ information before an incident occurs. Contact 4iQ to learn more about their immediate solutions.