The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.
Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.
Many of the areas where we have seen companies struggle involve management-level strategic decisions that must be made when a security incident is identified. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities.
While there may be no right or wrong answer, in our experience executives that have anticipated these decision points before a breach are better able to make decisions that align with the organization’s overall strategic goals and are able to do so with greater speed and confidence.
Part 8: ID Theft Related Service Offerings.
Situation. Although companies are not generally required to offer services to consumers whose information was involved in a breach, many organizations choose to offer credit reports, credit monitoring, identity theft restoration services, and/or identity theft insurance if they have to notify individuals about a breach.
Strategic considerations: Management typically considers the following factors when determining what (if anything) to offer post-breach:
- What makes rational sense? Some companies have offered benefits to breach victims that don’t have a rational connection to the breach. For example, one large retailer offered breach victims a discount (g., 15% off) of future purchases. By and large offers that minimize the importance of a data breach (e.g., a discount on services) tend to backfire. Even when the offering seems related to data breaches in general it may not make rational sense to the specific breach at hand. For example, many companies that have experienced credit card data breaches have offered consumers free credit monitoring. Credit monitoring, however, is designed to monitor new accounts that are opened under the consumer’s name. As most new accounts require a consumer’s social security number (and no new accounts are opened using credit card numbers), there is really no rational connection between a credit card breach and an offer of credit monitoring.
- What will consumers expect? Even if there is no connection between a breach and a specific service, consumers have come to expect certain benefits (g., credit monitoring). Companies often must make a strategic decision about whether they are going to attempt to address the real harm (if any) that a consumer may face, or simply respond to consumer demands/expectations even if those demands are not based on real risk or facts.
- How might an offering backfire? Management often decides to respond to consumers demands for services that are not related to a specific security event (g., credit monitoring) in order to help rebuild the company’s brand, and/or preserve relationships or goodwill with consumers. Perpetuating a consumer’s misperception that a service is related to the breach, however, can backfire. For example, in at least two cases courts have misinterpreted companies’ willingness to offer credit monitoring as an admission that consumers were at risk of having their credit impacted.