The Right Way to Respond to a BreachOpen Communication Goes a Long Way with Customers
Let's talk about breach response done right.
DBS, one of the largest retail banks in South East Asia, recently issued warnings about a $1 million [U.S. $774,594.06] card-fraud scheme it traced to two ATMs. And after the skimming attack hit 700 of its accountholders, DBS took a proactive step and launched an SMS/text alert service to ensure accountholders were provided up-to-date communications about their balances. [See ATM Fraud Prompts Text Alerts.]
We've learned how ineffective and potentially damaging it can be to say too little about a security incident.
Even the bank's CEO got in on the action by issuing a public apology for the compromise. Over the next week, DBS regularly updated its website with new information - sometimes several times a day.
Could you ask for better acknowledgement and awareness efforts?
Perhaps DBS has just been faster to figure out the communication perils the Internet Age poses. But compare this bank's breach response to reactions we've seen from some organizations in the U.S.
Remember in fall 2010, when Chase's online-banking site went down? Chase was reluctant to say anything about the outage. Or how about last March, when several Bank of America debit cardholders noticed fraudulent transactions hitting their accounts? BofA responded, but the communications offered no guidance, no admission of fault and no resolution. [See Bank of America Denies Breach.]
We've learned over the last 12 months how ineffective and potentially damaging it can be to say too little about a security incident. But how much information is too much?
It's hard to compare DBS's communications with the ways most U.S. institutions react to security incidents. Many attorneys and PR departments would never suggest the head of a top-tier institution admit responsibility for an incident, much less provide ongoing updates that could later backfire and be used in a court of law.
But legal and PR departments have to realize they can face great reputational damage by saying nothing. As breach response garners more attention, organizations all over the world will be held to higher flames.
I think we can all learn from the DBS example. It's better to take responsibility from the outset than to be held accountable later.