No company wants to hear the news that they are involved in a data breach. Not only are breaches costly in terms of time spent investigating and closing the leak, they can irreparably damage your company’s reputation and drive away even the most loyal customers.
However, as serious as any type of data breach is, not all data breaches are created equal in terms of severity. You obviously want to protect all of the data you collect from your customers equally, but in the event of a breach, the type of data that’s been compromised is an important consideration when it comes to developing an appropriate response and plan of action.
Data Type One: Emails and Phone Numbers
Like many companies, you probably at least collect email addresses, physical addresses, or phone numbers from your customers. While that information is valuable for your marketing efforts, it’s also valuable to hackers. In most cases, thieves who steal email addresses use the information to launch phishing schemes designed to get even more valuable information, or sell the lists to spammers who will bombard your customers with junk mail. Often, they do both.
While having your customer information compromised is problematic and could affect customer relationships, comparatively speaking, this type of breach is less dangerous than others. If you are sure that this is the only type of data that has been compromised, and no financial or personally identifying information was revealed, then the chances of identity theft are low. You still have a responsibility to notify your customers and comply with any legal requirements related to breaches, but your response should focus primarily on education. Inform your customers that their information has been compromised, and recommend that they change their passwords immediately. Remind them that they could receive phishing emails or texts, and remind them of your policies regarding data collection and contacts.
Data Type Two: Financial Information
When compromised data includes financial information, including credit card, debit card, or bank account information, the situation is more serious, and your response should be focused on preventing losses. This means complying with local and federal laws regarding who should be notified and when, and sharing as much information as possible to help your customers keep their money safe.
Since in most cases you do not manage the accounts that have been compromised, you must notify the financial institutions that do manage them. In many cases, banks can identify potentially affected customers and will immediately issue new cards and place alerts on accounts. However, because not all banks do this as a matter of course, it’s important to communicate with the affected customers and inform them of the breach and to be on alert to fraudulent activity on their accounts.
Phishing scams are also common in this scenario, as the criminals may use the data they collect from bank or card accounts in an attempt to deceive victims into revealing more information. For example, they may send a phishing email purporting to be about the data breach, and direct customers to a fake login page, where they then steal passwords and more information.
Because stolen financial data can create such a snowball effect, consider offering free credit monitoring services to those customers who have had their data exposed. While the chances of identity theft based on stolen payment data are slim, it’s still possible. Credit monitoring will alert victims of the breach of any suspicious or fraudulent activity on their accounts, and prevent further losses.
Data Type 3: Personally Identifying Information
The most potentially dangerous type of data breach is one that involves specific, personally-identifying information such as Social Security numbers and driver’s license numbers. Armed with these numbers, a criminal can wreak havoc on a victim’s financial life by opening new accounts in their name.
If this type of data is exposed, again, notification and mitigation are the top priorities. Customers should be directed to request fraud alerts from the major credit reporting agencies (in some cases, a security freeze that prevents the establishment of any new accounts is in order, such as when there is evidence that identity theft has already occurred.) It’s also vitally important to work with a credit-monitoring agency that will alert customers to any possible instances of fraudulent activity.
Again, all data breaches are serious, and should be treated as such, but the level of your response and the actions you take should be dictated by the type of data that’s been compromised. Not all data breaches result in identity theft, so it’s important not to panic and take the right steps to protect your customers, reputation, and bottom line.
