« The buyer journey and your website: Decision | Main | Avoiding an identity crisis: Re-branding tips »

After a data breach, talk is cheap

- Dave Nelson, CISSP, is president and CEO at Integrity.

Breach-supportI had lunch with a friend today who was affected by a recent data breach at a restaurant his wife and kids frequent. I will not name the company, but it is publicly traded with restaurants in 35 states. So, this isn’t a mom and pop shop.  It’s a large enterprise. My friend had concerns about the data breach, and emailed the company to see what support it was going to provide as a result of the breach.

To his amazement the company offered no support, other than to say he should be careful and watch his bank account closely. I haven’t seen the actual correspondence yet, but he promised to share it with me. Given my relationship with this friend, I have no doubt about the accuracy of his description.

This got me thinking about my own experience with one of the top five fast-food chains from about a year ago. Some of you may follow me on Twitter and remember me calling out Wendy’s about a payment card concern I had after visiting one of their stores in the Des Moines metro. A VP of operations for the local franchise group told me to investigate the issue myself and they were not concerned. He then ignored every email I sent after that requesting additional information and support.

Lo and behold, about a year later, Wendy’s announced a major credit card data breach. In fact, last month Wendy’s admitted that the cybersecurity incident was worse than it originally thought.

This brings me to my point. If you have a data breach, respond to your customers. You might not like what they have to say, and some of it might get nasty.  However, not responding, not owning the problem and appearing to be unconcerned or aloof will only make it worse. 

During and after a cybersecurity incident or data breach there are many things that are out of your control. You have to accept this. However, the things that are in your control should be made a high priority for your team. Have a pre-defined response that doesn’t contain the emotion of the hour. As a CEO or business owner, one of the hardest things to swallow is the loss of reputation. It’s difficult to put a dollar amount on this. Don’t you want to do everything possible to assure your customers that you care about them during your darkest hour? How much goodwill can be bought by timely and polite communications? There really is no cheaper insurance against losing a long-term customer than valuing the relationship. 

One last word of advice: If you deal with any sort of personally identifiable information (PII) such as financial account numbers, health care information, Social Security numbers, etc., you need to buy data breach notification insurance that includes credit monitoring. Even if some studies show the monitoring is ineffective, you are buying back some of your clients' trust in your brand. In the end, talk is cheap, trust is not.

Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: https://integritysrc.com


Every time we authorize a company to automatically withdraw a monthly amount from our checking accounts we increase our exposure to a data breach. By self-directing our banks to pay the recurring monthly amounts we limit that data-breach exposure to our own banks. Despite the "too big to fail" issues that have drawn legislative attention, most of the banks from that group have sophisticated consumer-protection protocols in place. When companies offer a monthly "discount" on their services for letting them dip into our checking accounts, our decision should be an informed one for which we alone are accountable. Recently CenturyLink charged a 350% "late fee" on my monthly DSL bill. My monthly bill was a recurring-amount, self-directed, and automatically-paid from my checking account. The payment was not late, but I did not catch CenturyLink's $2.00 monthly increase in time to edit the automatic payment amount. Even though the past-due $2.00 was paid and the automatic-payment amount has been increased, their billing statement continues to add another $7.00 late fee on top of the previous month's $7.00 late fee. Retail consumers have experienced customer-service and sales practices long ago ripe for overhaul. Without intervention to change multiple aspects of how they engage with their customers we are collectively allowing CenturyLink, and other companies like them, to continue to put our personally identifiable information at risk.

The comments to this entry are closed.

« The buyer journey and your website: Decision | Main | Avoiding an identity crisis: Re-branding tips »

Technorati Bookmark: After a data breach, talk is cheap

This site is intended for informational and conversational purposes, not to provide specific legal, investment, or tax advice.  Articles and opinions posted here are those of the author(s). Links to and from other sites are for informational purposes and are not an endorsement by this site’s sponsor.