Post-Breach Credit Monitoring StrategiesMaintaining Good Relationships After an Incident
"For higher-risk breaches, with Social Security numbers involved, I advocate calling people," says Dean, senior HIPAA and privacy consultant at SecureState. "That's going to be perceived by most customers as a value. They're less likely to leave your organization and go to one of your competitors."
Going beyond sending a snail-mail letter to offer credit monitoring helps maintain good customer relations after a serious breach, he says in an interview with Information Security Media Group.
Offering free credit protection and restoration services is a "good will gesture" that makes sense after a breach of sensitive information - even if only a minority of breach victims actually use the services, Dean says. But choosing the right service to offer can prove challenging, he says, because so many options are available. "What consumers are looking for ... is an offering with a minimum of false positive alerts," he stresses.
In the interview, Dean says organizations need to:
- Build and test an incident response plan before a breach occurs that includes such details as what credit monitoring service would be offered;
- Prepare all employees for handling customer inquiries about breaches;
- Conduct a thorough root cause analysis after an incident. "You need to spend the time to make sure it doesn't happen again. Clearly if you have one breach, attrition rates are very high. But if you have two, the attrition rates typically quadruple."
Before joining the consulting firm SecureState, Dean was the HIPAA officer and senior vice president of privacy for KeyCorp, Cleveland, Ohio. He is also an adjunct professor at Bryant and Stratton College.