Dealing with a Data Breach and Maintaining Customer Trust

Michael Bruemmer 2012

Retailers rely on the satisfaction and trust of their customers in order to successfully operate and grow; unfortunately, many businesses may be neglecting to prioritize protecting their customers’ data. This is like a fashion faux pas; according to a consumer study from the Ponemon Institute, data breaches are amongst the top three incidents that tarnish a brand’s reputation in their eyes – alongside poor customer service or environmental disasters. Given the serious impact a data breach can have on an organization’s reputation and brand image, data breach preparedness and customer communication needs to be a top priority.

Stay ahead of the evolving technology landscape

One of the biggest security challenges in the retail sector right now is navigating how to adopt and implement emerging payment technologies. While new customer convenience options such as mobile payments, virtual currencies and the deployment of chip and PIN are exciting to many, industry research finds a majority of executives believe pressure to migrate to these new payments systems puts customer data at risk. For reference, 59 percent of executives in the payments sector expect mobile payments in stores to increase the risk of suffering a breach, and 54 percent expect near field communications technology to increase security risk. Companies can stay ahead of the evolving landscape by planning in advance how they will roll out new payment systems and ensure customer data remains secure through the transition. They should also avoid gaining a false sense of assumed security with technologies that may promise advanced solutions.

While the shift for companies to adopt EMV payment terminals will likely improve the overall security of transactions in the long-term, companies should not assume it will be a “cure-all” to preventing data breaches. Take into consideration the fact that “card-not-present” fraud has risen in Europe and all other markets where EMV is already in place. Instead of assuming and leading consumers to believe that EMV technology guarantees their information will be safe from cyber thieves, companies need to be open and aware of both the benefits and risks accompanying this technology.

With any new infrastructure comes new vulnerabilities and plans of attack from hackers. Regardless of the technology being adopted, it is important to educate C-level executives and board members of potential security risks from the start. Being aware and having a plan to react quickly to the ever-changing landscape can significantly increase the chances of thwarting criminals and keeping customer data safe.

Have a strong incident response plan and dedicated team

There are many factors to consider when dealing with a data breach, and the best way for companies to prepare is to have a strong incident response plan in place that has been both vetted and practiced before a breach occurs. The plan should include precise steps that would be taken in the event of the breach, and clear roles and responsibilities of the response team.

Companies should consider the involvement of a variety of departments in data breach prevention and response – even those that may not come first to mind. For example, one of the most powerful relationships for the prevention of fraud is that between internal fraud and marketing teams. Together, they can help the top and bottom line by preventing potentially fraudulent transactions without impacting the customer experience. Other more obvious departments to include in the response team are legal and compliance, IT, public relations and human resources. Securing outside partners before a breach occurs is important as well. Some of the key areas include outside legal counsel with breach experience and a resolution provider that can provide customer notification services and an identity theft protection product.

Furthermore, it is important that companies practice their data breach response plan. While more companies are taking the first step of having an incident response plan in place, a majority do not regularly audit and update their plans to account for evolving threats. Seventy-eight percent of companies report they do not regularly update their plans, and about two-thirds don’t have trained staff to respond to customer questions, concerns and complaints if a breach occurs. Like a fire evacuation plan, in order to be successful in implementation, retailers need to dedicate the time and resources necessary to practice incident response.

Communicate effectively with customers

Lastly, the way in which retailers communicate to customers – before, during and after a potential data breach – is instrumental in maintaining customer trust and satisfaction. When faced with a data breach, companies should convey to their customers that they take cybersecurity very seriously and are taking the necessary actions to protect consumer payment card data and personally identifiable information.

The notification letter should also provide a clear explanation of what happened, what the company is doing in response and what actions the customer should take to protect themselves from identity theft and fraud. Customers expect retailers to provide identity theft protection services and resources for further assistance such as a website FAQ and call center.

Retailers must keep up with consumer trends and market changes to stay competitive and this is no different technology-wise. Today, it is crucial for the success of the business to have a good security posture and be prepared for a data breach. If, unfortunately, a breach happens, retailers can prove to customers that they care by acting swiftly and using transparent and earnest communication. Keeping customers a priority when a security incident happens will help retailers preserve trust in their brand and grow the relationship with customers they worked so hard to foster.

More information on data breach preparedness and resources can be found at the Experian Data Breach Resolution website and the Experian Data Breach Resolution blog.

Michael Bruemmer, CHC, CIPP/US, is Vice President with the Experian® Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the Information Security Media Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.


More articles from the payment industry


Heartland: Credit Card Fraud At Small Business About to Soar
Examples of Deceptive Trade Practices in The Payment Industry
Advantages Of Mobile Payments
Change Your Socks And Credit Cards
The financial transactions world is changing. Are you staying afloat?
Compliance does not equal security: What the EMV Mandates Mean for You


The Point of Sale News relies on sponsors to stay in business.  Please let vendors know you’ve seen them here!  Thank you.

Click here to subscribe – daily, weekly or once a month point of sale news.  No spam, ever!