Vendors: Do You Have Breach Notifications in Place for Your Customers?

You may be familiar with the phrase, “hope for the best but prepare for the worst.” This is generally a good attitude to take on the prevention of cybersecurity incidents like ransomware attacks or data breaches. These events can happen to any organization, regardless of size or industry, and if you're not prepared to respond to an incident it can significantly harm your reputation as a trustworthy vendor with your customers. 

Preparation is also critical when it comes to customer breach notifications. When a data breach occurs within your organization, you should already have a process in place that promptly notifies your customers with relevant information. 

So, why are customer breach notifications necessary and what should they include? 

The Importance of Data Breach Notifications 

Understanding the why behind data breach notifications can make it easier to identify your goals and develop effective processes. Consider the following reasons why data breach notifications should be included in your cybersecurity practices:

• Regulatory expectations: Although there is no federal data breach notification law that covers all organizations, regulators continue to increase their focus on this issue. The HIPAA Breach Notification Rule mandates that covered entities notify their customers within 60 days of discovering a breach. A Proposed Rule by the SEC would impose a 30-day deadline for organizations such as broker-dealers and registered investment advisors. When a data breach occurs, you’ll want to be prepared in case regulators ask for details. 
  
• Maintain trust with customers: As a vendor, you’ve probably taken a lot of care to build trusted relationships with your customers. Data breaches and other cybersecurity events are difficult enough to resolve, so don’t worsen the issue by neglecting to have breach notifications for your customers. Good reputations can be destroyed quickly if customers first learn about the breach from an outside source, rather than directly from your organization. 
  
• Competitive advantage: A lesser-known benefit of data breach notifications is the potential competitive advantage you may gain. When you take a proactive approach with customer breach notifications, your organization can stand out as one that is aware of cybersecurity best practices and focused on customer communication. Overall, data breach notifications can help strengthen your vendor risk profile when potential customers are vetting your products or services. 

4 Questions to Develop Your Breach Notifications 

There’s no doubt about it – notifying your customers of a data breach probably won’t be the most pleasant experience. However, some proper planning can help the process run more smoothly and potentially retain your good reputation with your customers. 

As you develop your customer breach notification process, consider these questions:

1. Who do we need to notify? One of the first things you’ll need to determine is which customers are impacted by the data breach. Making sure you’re on the same page with your customers about when and how you will notify them is crucial to building solid relationships. You also need to make sure you understand the regulatory requirements for those industries you serve. This will help you better understand the needs of your clients and customers. 
   
2. When will the customer be notified? The rules around notification timelines will vary, but they’re generally written in relation to a breach discovery. In other words, an organization that discovers a breach will need to notify their impacted customers within a certain number of days. It’s important to understand and follow the notification deadlines that impact your organization and customers to ensure you won’t face financial penalties or other regulatory actions.
   
3. What information should be communicated? When a breach occurs, your customers will understandably have a lot of questions and need reassurance. They’ll likely want to know details around what type of information was exposed, how the data breach occurred, what precautions your organization is taking, and how they should move forward in protecting themselves. Consider whether you’ll offer credit monitoring services and how you’ll enhance your current security controls.  
   
4. What method of communication will be used? Whether you plan to notify your customers by mail, email, or some other method, make sure this is documented in your procedures. The last thing you’ll want to do after a breach is frantically rush around, trying to notify your customers in multiple ways. 

Breach notification rules may still be a little disjointed for many industries, but don’t let that stop you from developing a process within your organization. A data breach or other cybersecurity incident will likely impact your organization at some point and preparing a notification process will help keep you in a good position with both regulators and your customers.