Remember Target's massive 40 million user data breach? It just got much worse. It turns out the breach actually involved as many as 70 to 110 million users, and is now the largest data breach in U.S. history.
Target is desperately struggling to rebuild its brand. As it does so, IT and tech consultants have a chance to watch and learn from the way Target handles the extra scrutiny that comes with a data breach.
In this guide to rebuilding client trust, we'll take a look at the dos and don'ts of customer relations after a breach. We'll use Target's data breach as an example to illustrate what works well and what works less well.
You might be wondering why we're discussing "customer relations" on a tech blog. We've covered many of the technical and legal concerns in our data breach response guide, but customer relations are extremely important to the long-term viability of any tech business.
Tech companies might be hired to help a company respond to a data breach or they might have to help an old client when the tech companies' software is hacked or a system failure causes a breach. In either case, it's vital to handle the crisis well and rebuild customer trust. In doing so, tech companies can potentially avoid lawsuits, reduce their cyber liability, and limit ongoing headaches and hassles.
Life Under the Microscope: How Tech Companies Can Overcome Client Distrust after a Data Breach
In the months after a data leak, clients and potential clients will be skeptical of the company that lost their data. Every action and attempt to rebuild their trust will be looked at under a microscope.
So how does a computer consulting company earn back the trust of the customer or client whose data was lost? To answer that question, let's look at each aspect of Target's response and grade how well it did.
- Be clear about what data was lost and when. At first, Target said only credit card information was lost. Then it acknowledged that debit card PINs were also stolen. And now Target admits the breach involved phone numbers, addresses, and other data and was actually almost three times as large as initially reported. From a P.R. perspective, this was a horrible case of mismanagement. One bad news story became three, effectively keeping Target in the news for weeks. IT companies need to be upfront about what data was lost, because that's what customers need to know. You don't want to have to keep admitting to more problems later. Target's grade: D.
- Reassure users about their security. Target did a good job of articulating that some of the lost data was encrypted. Many users won't understand exactly what a data breach is. Most have no idea what "encryption" means. Breaches are painful and expensive, but if data is encrypted, IT consultants and tech companies can mitigate their risk. In Target's case, though credit card data was unencrypted, PINs were encrypted. Articulating the difference to your clients can reassure them. Target's grade: B+.
- Remember that customers will be skeptical of official communications. James Lyne, a cyber security specialist at Forbes magazine, points out Target's emails after the data breach accidentally look like spam emails. Rather than have an email address like "[email protected]," Target used domain names like target.b0fio.com, which look exactly like the kind of link you might see in a phishing email, causing even more anxiety for wary customers. Target's grade: C-.
- Offer discounts and reach out to customers. Target gave customers a 10% discount for December 21st and 22nd. The gesture was good, but may have been a strange case of too little, too early. Target gave the discount during the holidays when many people weren't even sure if they were affected. The full scope of the breach wasn't even known at the time. Furthermore, the last thing many shoppers want to do is go shopping in the last days before Christmas to a store they've already been to – and where their personal information was compromise. Target's grade: C.
- Open call center for complaints. Unfortunately, a massive amount of calls swamped Targets call center and meant concerned customers were unable to reach Target's representatives. Similar problems shut down Target's web complaint services. You need to have a way for customers to contact you, but more importantly, it needs to work. Target's grade: D+.
- Offer credit monitoring and reassure customers they won't be charged for purchases they didn't make. Target is clear in its official statements that any customer can take advantage of its free credit monitoring service. In a nice touch, Target's CEO makes this statement himself on the website, also pointing out that if fraudulent charges appear on their credit card statements, customers will ultimately be refunded. Target's communications on this issue are crystal clear and come from the top executive. Target's grade: A-.
Target's scores average out to a C on its response. Of course, the company failed the most important test when it lost customer data in the first place. But overall, it's mostly treaded water since the breach.
Target's struggles point out how difficult and costly the response to a data breach can be. Despite employing P.R. professionals, setting up a call center, and offering discounts, Target's reputation remains in a state of freefall.
Many technology consultants and IT companies develop a Data Breach Notification Plan in order to be prepared ahead of time for the challenges of contacting clients and customers after a breach. As you develop your plan, make sure you learn from Target's mistakes.