Delivering Effective Customer Notifications
I recently had the opportunity to speak at an event about crafting customer notifications. The audience was largely security practitioners but my core message was about preparing our customer facing teams for the unfortunately all too common event of a data breach. As security practitioners we often spend time in a security bubble and take for granted a certain level of knowledge and understanding of process but we should also spend time thinking about how the rest of our organization will operate during a data breach.
A story outside our bubble
A few months ago I received a call from my Grandma. She was concerned about having received a notification that she had been part of a data breach and wasn’t sure what to do about it. She had many seemingly basic, but good questions; What’s PII? I use the app on my iPad, is it safe to log into other applications like my bank? Is it safe to use my account? How do I know when it’s safe?
I was surprised, for example, that the notification she had received used the acronym PII. We know that it stands for Personally Identifiable Information, but why would she? I didn’t always know what it meant and I imagine most people don’t. I’m also not surprised whoever crafted the notification used it. They were probably under pressure and in our security bubble we say PII without defining it all the time. And her question about how this might affect her access to her bank account was also reasonable, in fact, she might have reasonably been worried about whether the data breach compromised her bank account even if she could still access this on her iPad. All this got me thinking about our customer facing teams and the individuals who will actually be interfacing with customers in the event of a data breach. Do they know what PII is? Do we explain what are and are not the implications to the customer of the data breach? How we respond to a data breach will define how a customer views our organization and it is exactly at a time of crisis that organizations can either build their reputation in the eyes of their customers or quickly undermine their reputation. And yet a little bit of preparation can go a long way to ensure the best possible outcome for the organization and its customers.
Practice makes perfect
What is most important is to ensure that under pressure, the basics aren’t overlooked. We want to prevent confusion and delays during a response and focus on priorities. Many security teams engage in tabletop exercises to prepare for incidents, but they don’t always include customer communication as part of their exercises. Ensuring effective communication can be as simple as including customer facing teams in your exercises, simulating the crafting and delivering of notifications during those exercises, and including non-technical participants who receive communications and question your team. And of course it is critically important to practice on a regular schedule. It sounds obvious, but including these teams and training them will make all the difference in the event you need to notify your customers. The relationships we have with our co-workers, how we work together, and how we interact with our customers, matter before a crisis and will determine how well the crisis is managed.
Cross-team alignment
Cross-team alignment ensures that customer notifications are accurate, timely, and compliant. Without it, miscommunication can lead to delays, inconsistent messaging, or loss of trust. The best way to prepare our teams is to make sure they know what their responsibilities are, but also what are NOT their responsibilities. Who’s job is it to speak with customers? One of the worst mistakes we can make is providing inconsistent messaging. Whose job is it to determine what happened? Whose job is it to ensure that communications are legally compliant? It might, for example, feel counter intuitive, but it’s not leadership's job to figure out what happened and determine how to deal with it. Leadership may want quick answers, but it’s up to our dedicated teams, each working in their domain of expertise and working together with effective internal communications to drive solutions, craft communications, and take care of our customers.
Best practices
Imagine you receive the following notification:
What’s wrong with this? Besides the fact that I used ChatGPT to generate it… there are many blatant issues that nonetheless can easily, and sometimes do, appear in customer notifications.
Normally patience and understanding is a sign of empathy, but combined with all of the other problems it feels like a slap in the face. This example is extreme, but it combines elements that are too common in real examples.
Fortunately it’s easy to overcome these mistakes by remembering the following:
- Keep It Clear and Transparent: Use plan language when addressing your customers. Tell them what happened with factual and concise details. Outline the impact to them and clearly state what they need to do and how you’re helping. Avoid vague terms like “cyberattack” and if possible explain what really happened and importantly avoid jargon and acronyms that many customers will not be familiar with.
- Own the Issue, Even if it’s Not Your Fault: Customers care about solutions, not excuses. At Riscosity we’re all about discovering data flow to third party vendors but your customer won’t care if a breach was caused by a third party because customers rightly see your organization as the vendor they deal with. Make sure you communicate how you’re addressing the issue. When working with vendors you outsource the service but not the risk.
- Communicate with Empathy: Always acknowledge inconvenience and never minimize. One of the worst situations you can be in is having to tell customers a breach was more extensive than originally understood after minimizing. Always offer support and always disclose to individual victims.
- Notify Quickly, But with Purpose: You need to balance urgency and accuracy. Notify once you have enough verified details and follow up with regular updates. If you’re working with law enforcement make sure to coordinate with them on notification timing. Be mindful of any regulatory requirements including all the local jurisdictions in which you may be operating and whose laws and regulations may apply and be mindful of your deadlines.
With clarity and transparency, ownership, and empathy we can build trust that will define how our customers view your organization.
At Riscosity we’re building solutions to secure data in motion and reduce the risk of a data breach. We also work with security practitioners who spend time preparing and thinking about their incident response. Much of what I wrote may feel obvious to us, but hopefully it’s a reminder that in a high stress incident, what’s obvious gets forgotten and we should spend time preparing accordingly.