How to Respond If Your Customer Data Is Stolen
Fact: Sony was forced to shut down its popular PlayStation Network for weeks in April and May after a massive hacker attack targeting credit card information and other personal data compromised more than 100 million user accounts. The company was criticized for waiting a week to inform consumers of the hacker data breach, which was the second largest in U.S. history.
Fact: Prior to Sony’s attack, Epsilon, a unit of Alliance Data Systems that handles online marketing campaigns for major banks, hotels, and stores, had its site hacked. This breach resulted in the theft of millions of email addresses from customers of companies including Citigroup, JPMorgan Chase, Best Buy, the Kroger grocery chain, Walgreen's drugstores, and the Hilton and Marriott hotel chains.
Fact: Millions of Americans are worried about the problem, and if your business is attacked, you might very well have the displeasure of having to take steps to correct the problem. Here are five recommendations from the Federal Trade Commission for how your company should respond.
1) Send your customers a Data Breach Notification letter ASAP. Nobody likes bad news. So the sooner you send your customers a letter or email about their data being stolen, the better for all parties involved so they can mitigate the misuse of their information. In the letter, clearly state the facts you know about the compromise, including what information was involved (email addresses, passwords, credit card information, Social Security numbers, etc.), how it happened, how the thieves might have used the information, and what actions you’ve already taken. Use this model letter from the FTC as a guide. Remember to designate a contact person within your organization and how to reach him or her.
2) Ask your customers to contact the three major credit bureaus. If names and Social Security numbers of your customers have been stolen, use your notification letter to suggest that they contact the major credit bureaus for additional information or advice. If the compromise involves a large group of people, you should contact the credit bureaus and advise if you are recommending that people request fraud alerts for their files. Your advance notice to the credit bureaus can facilitate customer assistance:
3) Notify your local police department. If your data breach results in harm to a person or a business, call your local police department immediately. Report your situation and the potential risk for identity theft for your customers. As with your initial notification letter, the sooner law enforcement learns about the theft, the more effective they can be. If your local police are not familiar with investigating information compromises, contact your local FBI office or the U.S. Secret Service. For incidents involving mail theft of customer data, contact the U.S. Postal Inspection Service. To find the nearest field office, use an online search engine or check the blue pages of your telephone directory.
4) Contact other businesses that may have been affected. Data compromises often impact banks or credit issuers. If account information such as customer credit card or bank account numbers has been stolen from your business, but you do not maintain the accounts for your customers, notify the institution that does so it can monitor the accounts for fraudulent activity. But if you do collect or store personal information on behalf of other businesses, notify them of any information that may have been compromised.
5) File your complaint with the Federal Trade Commission. As a consumer watchdog that helps you fight back against identity theft, the FTC maintains a database of identity theft cases used by law enforcement agencies for their investigations. By having your company file a complaint at www.ftc.gov/idtheft or by calling 1-877-ID-THEFT (877-438-4338 ), it helps them learn more about identity theft and the problems victims like your customers are having.
For more information, see “Dealing With A Data Breach” from the Federal Trade Commission.