[BreachExchange] Customers need to be at the centre of GDPR plans

Destry Winant destry at riskbasedsecurity.com
Mon Oct 8 21:12:50 EDT 2018


The new General Data Protection Regulation (GDPR) has shone a light on
how businesses prepare for, and respond to, a data breach.

With cyber criminals becoming increasingly sophisticated, the majority
of organisations realise a data breach is simply a matter of when, not
if. The most robust cyber defences operate and evolve on this basis
but, when faced with such an incident, many firms will instinctively
focus their resource and efforts on containment, rather than on their
most important asset: their customers.

Once the data is gone, it is the customers who need protection. As the
very visible outcome of the breach takes hold, organisations with
significant customer databases that do not prioritise customer needs
risk magnifying the crisis exponentially. This could include the
triggering of regulatory fines but also customer loss, a hit to brand
reputation, trust and, potentially, even share price.

There are key steps a business can take to ensure readiness and enable
an effective, customer-centric response during a breach.

Pre-breach: expect the expected

GDPR states that firms are mandated to put in place appropriate
“organisational measures” as part of their breach preparation. These
measures include the notification to customers ‘without undue delay'
of any breach that is likely to create a privacy risk for them. At the
same time, the risk to customers caused by a breach makes protecting
them a key priority.

The risk, for customers begins in the immediate period after the
breached data is exfiltrated. Criminals are not just using the stolen
data to potentially access customer accounts but also looking to
defraud them through phishing emails and call scams.

Notifying customers quickly about the breach is the first step.
Supporting and protecting them in the days and weeks following the
incident is what really counts. And it can be over weeks or months as
the data is not always used immediately.

So, timeliness is important when mobilising a breach response – GDPR’s
72-hour notification window reinforces the need to set into motion an
operation of the scale and capability required to provide an adequate
customer response along similar timelines. If unprepared, this becomes
a highly visible, high-risk race against time to enact a complex
operation of notification.

Resource pressures now appear. Breaches lead to a big spike in
customer enquiries and concern, placing huge demand on internal
operations – which are already delivering other services. Having
enough resources to continue “business as usual” operations alongside
setting up an effective breach response is an enormous challenge.

Coping with the surge in worried customer calls could lead to long
“call waiting” queues which can very quickly transition to negative
social media commentary and press coverage about frustrated customers
being ignored.

A range of specialists

In addition to resource issues, a data breach also requires an
extensive range of specialists to support a successful customer
response. This ranges from experts in customer messaging to social
media analysts, operational specialists, identity protection and
forensic investigators. This army of support must be coordinated and
managed with military precision to ensure the right level of support
is delivered to the customer in the most appropriate way and in a
timely manner.

Finally, having the key infrastructure in place to support a fast
breach response is critical. The telephony capacity and routing to
handle the spike in customer calls, mass printing and mail-out
capability, database cleansing and management all need to be ready to
go live with supporting contracts already in place. This is work that
must be concluded before any breach takes place; resources identified,
capacity identified and contracted, customer support readiness
planning and exercising conducted.

Post-breach: minimising the impact on customers

The outcome of a breach response is ultimately determined by two
factors: the speed of notification and the quality of response.
Successful plans recognise the volume of trained resource required to
be in place to enable every one of the businesses “at risk” customers
to be notified, their questions and concerns addressed and any
suspected fraudulent activity remediated through identity repair

To be truly customer-centric, this should include the ability to
handle high-volume first class mail, a high-capacity incident response
website, a phone system able to quickly and securely route customer
calls and emails, and an identity protection platform.

The quality of the customer notification response is, unsurprisingly,
determined by the level of specialist skills and experience of the
customer response team.

Far from being a “one off” activity, customer support staff should
have specialist knowledge and crisis experience. This could mean the
difference between a positive and negative customer experience, or
between retaining their loyalty and a reputation-damaging customer
loss headline.

While some customers will simply want to know what has happened and
why, others may believe they have been personally attacked or have
other worries about their online identity. The scope of concerns will
be wide across an audience with significantly different levels of
understanding of the digital world and the realities of cyber risk.

The quality and awareness of a firm’s customer handling staff in the
contact centres is key. Their ability to triage the needs of different
customers, provide identity protection advice and support, as well as
help with identity repair will become the central tenet of this
customer engagement. In many cases this is outsourced to professionals
to speed action, improve customer care and do this work all the time.

Complementary to this is having a full identity protection strategy in
place. This should encompass everything from access to credit
monitoring and fraud alerts to specialist identity repair support
services. In a vulnerable, post-breach scenario, this can do much to
alleviate customer concerns and reassure them that everything is being
done to support and protect them.

Failure to care for the customer is failure to manage the reputation.

It is almost inevitable that organisations will find themselves facing
a data breach at some point, but it is not inevitable that the
consequences include customer migration to competitors. Best practice
customer breach support protects customers, minimises regulatory and
reputational risk and reduces the overall financial impact of a data

Deploying this at the pace required by customers and dictated by GDPR
is only possible with effective planning before any breach occurs –
ensuring that the right expertise is available to cope with the volume
of customer queries, and that secure and scalable infrastructure
delivers the best service to those who determine the future of the
business – the customers.

Taking a customer-centric approach to planning for and responding to a
data breach is the key to ensuring a positive outcome for
organisations and their customers alike.

More information about the BreachExchange mailing list