[BreachExchange] Delivering Email Post-Data Breach: 4 Tips for Avoiding the Impact

Destry Winant destry at riskbasedsecurity.com
Mon Mar 4 09:32:46 EST 2019


A quick Google search of “what to do after a data breach” yields
specific instructions for affected consumers (determine what was
stolen, change affected passwords, contact financial institutions,
sign up for a credit-monitoring service, etc.), but for the brand that
caused the breach, next steps are usually a bit more complicated.

Oftentimes, the very first thing on the to-do list is to reach out to
all customers via email, informing them their personal information was
potentially compromised. The FTC requires this action so individuals
affected can take steps to reduce the chance their information will be
misused. For brands like Marriott and Coffee Meets Bagel, both of whom
recently experienced breaches, this sort of large-scale email outreach
has the potential to tarnish an already damaged reputation.

IBM’s “2018 Cost of a Data Breach Study” reports the average cost of a
data breach is up from 2017 by more than 6 percent, to a total of
$3.86 million. Taking into consideration that cost, alongside the
already-negative impact of a data breach in loss of customers and
brand trust, it’s important brands take immediate action to avoid a
data breach altogether, and look for small wins, such as protecting
email deliverability.

Tip 1: Send a heads-up to mailbox providers and blacklists

Sending a data breach notification message out to your entire email
list, inclusive of unresponsive and inactive emails, will absolutely
negatively impact a sender’s reputation. Through inactivity, those
emails addresses indicated they are no longer interested in receiving
a brand’s content. If you send them an “unwanted” message, mailbox
providers (MBPs) will take note. Work with your ESP’s team to notify
the email community of the data breach alert you are about to send.
They might have an alternate IP you can access. The intention is to
proactively help MBPs understand why there might be an increase in
undeliverable email and users marking your messages as spam.

Tip 2: Make sure your emails are easily recognized

It’s important your brand maintains a high level of consistency during
this time. After a data breach, customers are on high alert, and you
don’t want them marking your email as spam because you decided to
change the “friendly from” address to an individual’s name to make the
message seem more personal. This sort of action might actually cause a
consumer to not recognize the brand and ignore the email altogether.
You should also consider using a subdomain of the organization
(sub.250ok.com) instead of a cousin domain (cousin-250ok.com), to send
all messages. Last but not least, make sure to include the
notification email address in your public FAQ document. Use messaging
along these lines: “If you have been impacted by this data breach, you
will receive a notification from 250ok <Notification at sub.250ok.com>.”

Tip 3: Review all authentication records

Due to the large amount of sending you’re about to do, now is not the
time for a missing SPF or DKIM record. Double-checking these records
on your DNS should be simple, especially if you are using a
brand-specific sub domain for your ESP. Make sure your SPF is set to a
~all or -all, and your DKIM keys are correctly configured. If those
are good to go, the next step is DMARC. Set your DMARC records to a
p=quarantine or p=reject to stop copycat notifications using your

Tip 4: Follow data minimization best practices

If you have already been impacted by a data breach, this tip requires
a time machine. But, it’s never too late to start following data
minimization best practices. Be smart about what data your company
needs and more importantly, what data it doesn’t need.

- Don’t save unnecessary data: Do you need the data to complete the
job? If not, don’t save it!
- Encryption, encryption, encryption: Should I say it again?
Encryption costs more in the short-term, but will save you big bucks
in the long run (remember how data breaches cost on average almost $4
- Set time limits: Unfortunately, there are no clear-cut guidelines on
how long you should keep consumer data. Regularly review the data you
store and consider how often you use it. Set internal policies
surrounding the age of the data you require and determine after what
length of time it should be deleted or anonymized.
- Prepare for employee turnover: According to an Osterman Research
survey of IT and HR decision-makers, 69 percent of companies suffered
significant data loss resulting from employees who left. When
employees leave, data access is often unaddressed , allowing hackers
to take advantage. Know what data permissions your employees have and
revoke them when they leave.

Bonus tip: Before you send out that data breach notification email,
run your list through a list validation tool to clean out the bad
addresses. If you have alternative addresses for users whose emails
come back invalid, such as a mailing address, send them a letter

Let’s face it. You’re not going to be able to avoid any and all
negative impact on your deliverability. Regardless of how cautious you
are with your email distribution, you’re going to hit some spam traps
and you’re going to have some undeliverable emails. But with these
tips, you can minimize the negative impact the breach has on your
reputation in the long-term.

More information about the BreachExchange mailing list