Government regulation, including the well-known HIPAA and GLBA, are quite clear on the notification requirements for businesses suffering a data breach but simply adhering to the regulations is not enough to keep your customers. The responses to recent breaches show that customers are unhappy with organizations such as the South Carolina Department of Revenue, Adobe, ADPI and Nationwide Mutual Insurance for their poor response.
In the 2012 consumer study on data breach notification, it was found that 72% of respondents were disappointed in the way notification was handled. 67% says the notification did not provide enough details about the breach. Furthermore, data breaches have an impact on whether the organization can keep its customers. Following the breach, 15% will terminate the relationship and 35% say the relationship depends on whether the company suffers another breach.
Ponemon Institute provides some guidance on how organizations can better handle data breach notification. First, notify customers quickly following a breach. If you are unclear about the entire scope of the breach, explain that the investigation is still underway. Next, provide that notification in a way that differentiates it from junk mail. Notification letters should be short and easy to understand with specifics about the breach and what the impact is to the customer.