It seems many businesses don’t know what to do in the event of a data security breach and, in an attempt to save face, under-represent the extent of the damage or fail to disclose the intrusion entirely.
One such organisation, the Australian website Catch of the Day, waited three years to inform customers a security breach had taken place. The company’s database was compromised in May 2011, but it did not notify customers of the attack until July 2014. The company also lied about the steps it took immediately following the event, claiming it notified the Australian Federal Police and the Australian Privacy Commissioner of the attack in 2011. However, both offices said they were they were not informed at the time.
While the company escaped criminal charges by assuring the privacy commissioner that it had taken steps to improve its security, customers were no less critical of Catch of the Day’s actions and dissatisfied with its service. By not informing customers of the breach immediately, the company did not give people a chance to change their personal information and take appropriate measures with their banks.
Another example of a poorly handled breach resulted in more than angry customers. After Target suffered a hack during the 2013 holiday season, the company paid $10 million to settle the resulting lawsuit from customers. Target had to pay an additional $67 million to Visa card issuers, $19.1 million to MasterCard issuers and $20.3 million to banks and credit unions, Reuters reported.
What customers go through during a security breach
Victims of a security breach can be harshly penalised for something that wasn’t their fault. They can suffer from unauthorised use of their personal and payment information, higher interest fees on their accounts and damage to their credit. They also have to spend time and money replacing their information, addressing various charges and correcting their credit reports. As a result, they’re far less likely to return to a business that was hacked.
This is why it’s incredibly important for all businesses – bricks-and-mortar, online, business-to-consumer, business-to-business and more – to be open and transparent about any security breaches. While a hack certainly diminishes a company’s public standing, not addressing it properly makes the situation worse. Customers are upset when they find out their information was compromised, but they’re even angrier if and when they learn the company didn’t take steps to properly maintain security or didn’t inform customers before they suffered consequences.
What to do in the event of a breach
Prevention is key, and the first step in handling a data breach is making sure your business has the necessary security measures in place before one ever occurs. For businesses dealing with payments, this means adhering to the Payment Card Industry Data Security Standards guidelines. Retailers can either approach these guidelines themselves or work with a third-party payment processing company that is fully compliant.
Unfortunately, as recent news from Oracle and the College Board shows, data breaches aren’t going way. If your company is hacked, you should immediately assess the damage and inform your customers of the event. This gives them the opportunity to change their sensitive information, including login credentials and payment methods, before they suffer any damage. Your ultimate goal should to be to keep your customers’ hardships to a minimum.