Home / Legal & Compliance

Why action and transparency matter during a security breach

By / Renée Frappier / In Best practice /

Data Theft 101: Renée Frappier discusses why improperly handling a security breach hurts businesses – and what your organisation should do instead.

It seems many businesses don’t know what to do in the event of a data security breach and, in an attempt to save face, under-represent the extent of the damage or fail to disclose the intrusion entirely.

One such organisation, the Australian website Catch of the Day, waited three years to inform customers a security breach had taken place. The company’s database was compromised in May 2011, but it did not notify customers of the attack until July 2014. The company also lied about the steps it took immediately following the event, claiming it notified the Australian Federal Police and the Australian Privacy Commissioner of the attack in 2011. However, both offices said they were they were not informed at the time.

While the company escaped criminal charges by assuring the privacy commissioner that it had taken steps to improve its security, customers were no less critical of Catch of the Day’s actions and dissatisfied with its service. By not informing customers of the breach immediately, the company did not give people a chance to change their personal information and take appropriate measures with their banks.

Another example of a poorly handled breach resulted in more than angry customers. After Target suffered a hack during the 2013 holiday season, the company paid $10 million to settle the resulting lawsuit from customers. Target had to pay an additional $67 million to Visa card issuers, $19.1 million to MasterCard issuers and $20.3 million to banks and credit unions, Reuters reported.

What customers go through during a security breach

Victims of a security breach can be harshly penalised for something that wasn’t their fault. They can suffer from unauthorised use of their personal and payment information, higher interest fees on their accounts and damage to their credit. They also have to spend time and money replacing their information, addressing various charges and correcting their credit reports. As a result, they’re far less likely to return to a business that was hacked.

This is why it’s incredibly important for all businesses – bricks-and-mortar, online, business-to-consumer, business-to-business and more – to be open and transparent about any security breaches. While a hack certainly diminishes a company’s public standing, not addressing it properly makes the situation worse. Customers are upset when they find out their information was compromised, but they’re even angrier if and when they learn the company didn’t take steps to properly maintain security or didn’t inform customers before they suffered consequences.

What to do in the event of a breach

Prevention is key, and the first step in handling a data breach is making sure your business has the necessary security measures in place before one ever occurs. For businesses dealing with payments, this means adhering to the Payment Card Industry Data Security Standards guidelines. Retailers can either approach these guidelines themselves or work with a third-party payment processing company that is fully compliant.

Unfortunately, as recent news from Oracle and the College Board shows, data breaches aren’t going way. If your company is hacked, you should immediately assess the damage and inform your customers of the event. This gives them the opportunity to change their sensitive information, including login credentials and payment methods, before they suffer any damage. Your ultimate goal should to be to keep your customers’ hardships to a minimum.

Username

Basic Information

First Name *

Last Name *

Company *

Job Title *

Country *

Account Information

Password

Confirm Password

E-mail Address

Confirm E-mail

Biographical Info

Share a little biographical information to fill out your profile. This may be shown publicly.

Terms and Conditions

Terms and conditions – website usage

Welcome to the Global Marketing Alliance (GMA). The GMA website is a product of the Global Marketing Alliance Ltd. If you continue to browse and use this website, you are agreeing to comply with the following terms and conditions of use, which together with our privacy policy, govern GMA’s dealings with you in relation to this website. If you disagree with any part of these terms and conditions, please do not use our website.

GMA may amend these Terms and Conditions at any time by posting the amended Terms and Conditions on the GMA site.

The term GMA or ‘us’ or ‘we’ refers to the owner of the website whose registered office is at 7a Queen Street, Godalming, Surrey, GU7 1BA, UK. The term ‘you’ refers to the user or viewer of our website or to those who become members of GMA.

The use of this website is subject to the following terms of use:

The content of the pages of this website is for your general information and use only. It is subject to change without notice.
The information provided and the opinions expressed in this website represent the views of the authors and contributors.
Neither we nor any third parties provide any warranty or guarantee as to the accuracy, timeliness, performance, completeness or suitability of the information and materials found or offered on this website for any particular purpose. We are not liable for any inaccuracies or errors.
Your use of any information or materials on this website is entirely at your own risk, it is your responsibility to check that the information available meets your requirements.
This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.
Information on this site may be contributed by our members or other contributors (including in blogs). We do not control the information they provide and are not responsible for the views expressed
If you believe that your intellectual property rights have been infringed on this site please notify us. We accept no liability for infringements as a result of user generated content but we will take reasonable action to remove such content where possible.
Unauthorised use of this website may give rise to a claim for damages and/or be a criminal offence.
Every effort is made to keep the website up and running smoothly. However, we take no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.
We reserve the right to refuse, suspend or cancel your access to the site at any time and without notice.
If you are acting as an employee, you warrant that you are authorised to enter into legally binding contracts on behalf of your employer. You further warrant that your employer agrees to be bound by these Terms and Conditions.
Purchases of training products or delegate places at events advertised on this site are subject to the terms and conditions of the providers.
Your use of this website and any dispute arising out of such use of the website is subject to the laws of England, Northern Ireland, Scotland and Wales.

Copyright notice

Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:

you may print extracts for your personal and non-commercial use only
you may refer to and quote from the content for review or reference purposes within the limits of “fair dealing”, but only if you acknowledge the website as the source of the material
You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.

I agree to the Terms and Conditions

Full Name LEAVE THIS BLANK

I agree to the Terms and Conditions

Author: Renée Frappier

PacNet Services Ltd | www.the-gma.com

Renée Frappier is director of marketing for PacNet Services Ltd, an international ecommerce payment processing company.

Why action and transparency matter during a security breach

What customers go through during a security breach