This post is sponsored by AllClear ID.
Jamie May is Vice President of Operations at AllClear ID. Since joining the company in 2007, she has managed the implementation and execution of more than 1000 data breach responses, including one of the largest retail breaches in history and several large healthcare breaches. She advises Fortune 1000 companies, government agencies and healthcare organizations on all aspects of breach preparation and response, and is a sought-after industry expert.
Question: How has the breach response landscape changed over the last year?
Jamie May: In 2014, the velocity and scale of breach events increased like never before. The Target data breach was a watershed event and marked the first time there was high-visibility executive turnover directly related to a breach. Consumers raised their expectations and now demand a well-orchestrated breach response to begin as soon as it’s public. For businesses, this means the pressure to get it right the first time is more intense than ever.
Q: Many of the largest breaches in 2014 occurred in the retail sector. How is responding to a retail breach unique compared to other industries?
JM: Retail point of sale breaches present unique challenges that warrant a particular type of response. In many cases, tens, if not hundreds, of store locations or franchises are affected, making consistent dissemination of information and communication challenging. Further, retailers do not always have direct contact information for those affected by the incident so it is not always possible to isolate and let specific individuals know they’re affected. Complicating these matters is the fact that the press frequently reports these types of incidents before the company, so the response timeline is compressed and out of the retailers’ hands from the start of the incident. While each breach is unique, these dynamics make preparation especially important when responding to retail breaches.
Q: Losing customer trust is a big concern for brands. What can retailers do before and after a breach to ensure customer trust remains intact?
JM: Retailers should place customers’ needs and concerns at the center of response planning and execution. Taking the time to plan for an incident with the customer in mind will go a long way in preserving trust when a breach occurs.
All communications to customers need to be clear and helpful to minimize confusion and anger. And it is much easier to have clear communications when you think through the flow and complexities in advance of a real incident. Keep in mind, your customers’ first interaction with your brand after a breach may be with the call center, so getting that experience right is crucial to success. Reduce customer anxiety and prevent angry escalations by organizing a call center with responsive, knowledgeable agents trained in identity theft protection. We have also found that customers aren’t comfortable giving up their personal information to enroll in protection services after feeling violated by a breach. Retailers should look for solutions like the program we offer at AllClear ID that offers automatic access to identity repair to create the best experience for affected customers.
Q: What is the single most important thing retailers can do to ensure a breach response goes smoothly?
JM: In my experience, companies that take a customer-centric approach to breach preparation, response, and recovery fare far better than those that do not, both in terms of overall response and the speed at which they are able to return to normal business operations. Retailers have a special relationship with customers, generating a high level of interaction and strong brand loyalty. To successfully manage a breach with a customer focus, companies must first have a plan in place. This will help save significantly by avoiding delays and costly mistakes during the response. Now that we have witnessed the first destructive cyberattack against a U.S. company, the need for every business to have an incident response plan is no longer in question. These plans should include details for how affected customers will be notified and supported throughout the entire response process, from notification to protection to fraud resolution, if necessary.