How Marketers Should Prepare for and Communicate a Data Breach by Craig Swerdloff

 

The main driver of data theft is fraud. Armed with large amounts of personal data, criminals prey on unsuspecting consumers. With just a debit card and a PIN (personal identification number), criminals can electronically withdraw large sums of money from bank accounts in a short period of time. With a credit card number and an expiration date, criminals can easily make several purchases before the credit card company suspects any unusual activity has transpired. 

 

What can corporations do to minimize the damage that data theft poses to them and their customers? The first precaution is to have a plan in place before these incidents occur.  This will allow companies to act fast and avoid costly mistakes. Second, companies should be prepared to communicate the details of the breach to their customers. Early notification gives consumers the ability to cancel their debit and credit cards before criminals wreak further havoc. For corporations, early notification minimizes legal ramifications, and, perhaps more importantly, avoids further damage to the company’s reputation.

 

At least 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have laws requiring notification of data breaches. Certain states require notification within 30 days, leaving little time to waste in deploying a plan of action. Several measures must be taken in order to effectively communicate with victims, including: verifying email and postal addresses, writing the message that needs to be delivered, mailing notification emails and letters, and setting up a call center or other services specially for the purpose of informing affected individuals. Keep in mind, some states mandate specific content to be included in these notification letters. This often includes toll-free numbers and postal addresses for the three major credit bureaus, the FTC, and a state’s attorney general. Importantly, multiple state laws may apply to one data breach because jurisdiction depends on where the affected individuals reside, not where the business is located. If some affected individuals live in a state that mandates notification and others live in a state that doesn’t, everyone should still be notified so companies are not targeted for inequality. Furthermore, mishandling notifications can lead to additional consequences, including fines and other unbudgeted expenses. It could also further tarnish brand reputation and customer loyalty.

 

While some states mandate that corporations provide written notification via direct mail, the process can be slow and expensive. Corporations should consider a two-channel approach: quick notification via email, followed by a direct mail piece. Working with your Email Service Provider (ESP) will allow for fast and cost effective notification through the email channel. First, make sure your email database is up to date. Using a third party email validation service to identify and remove invalid email addresses before you mail, is critical to protecting your sender reputation with the ISPs (Internet Service Providers). Second, have your ESP reach out to Spamhaus and other blacklist providers to notify them of the upcoming communication. It is very likely that a significant number of your old customer email addresses have been converted into spam traps and you want to ensure your email regarding the breach does not land you on a blacklist.  Working with your ESP, an email validation vendor, and the major blacklist providers will ensure that your notification (and other) emails are delivered to your customers’ inboxes.

 

While data theft is on the rise, corporations that respond quickly and intelligently, and effectively communicate with their customers will minimize the negative impact on their brand image and revenue. The email channel plays an important role in notification, but marketers need to be aware of the potential damage to their sender reputation and their email marketing performance.