Nothing can be quite as devastating to a business’s customer base than a data breach. How do customers perceive businesses after a data breach? What was once a highly-trusted, well-regarded company could be quickly downgraded to an untrustworthy, irresponsible company after a data breach. The public generally perceives data breaches as a sign that a business was irresponsible with customers’ personal and payment data. A business that is victimized by a security breach is not viewed by customers as a victim. Instead, customers are often harsh in their reaction to a data security breach, oftentimes because they feel that their data has been exposed and because the trust between them and the business has been breached.

Many companies have endured a data breach, and have managed to recover with their customers. While not all customers may choose to continue their relationship with a business after a data breach, many customers will return to a business once they feel that the business can be trusted again.

Steps Businesses Can Take to Rebuild Trust With Customers

Even after a highly-publicized data breach, there are steps that a business can take to start rebuilding trust with its customer base. One of the most important steps for a business to take after a data breach is to acknowledge that the breach happened and apologize for it. Customers may initially react emotionally to news that their personal data or payment information has been compromised as the result of a data breach, but customers can be reminded that data breaches happen to a lot of businesses.

Additionally, taking the appropriate steps to notify the affected customers also helps customers to start rebuilding their sense of trust in the business. A business that reaches out to affected customers in a timely manner appears to be taking responsibility in the aftermath of a data breach. Timely notification about the breach in compliance with state and federal breach notification laws also makes the customer feel like the business cares that this unfortunate circumstance befell the company and the customer.

Finally, businesses can inform customers about how the business is coping with the data breach. By explaining to customers the steps that the business is taking to ensure that a similar breach does not occur again in the future, a business can begin to foster as sense of trust between the customer and itself. Customers like to see businesses that have been victimized by a data breach taking measurable steps forward to secure against future data breaches.

Speak With a Data Breach Lawyer

Businesses large and small fall victim to data security breaches and when a breach happens to your business it could have a negative impact on how your customers perceive you. The team of data breach lawyers at Revision Legal has helped a number of companies across the country deal with data security breaches and data breach notification compliance. The laws associated with data breach notification can vary from state to state and additional federal requirements might exist depending on what industry the data breach occurred in. Things need to move quickly after you have confirmed that your business has been subject to a data breach. You need the legal team from Revision Legal in your corner today. Contact us using the form on this page or call us at 855-473-8474.

The Legal Dimension: What Notification Requirements Demand — and Why They Help Reputation

Prompt notification to affected customers is not just good public relations — it is a legal obligation under every state’s breach notification statute. For businesses operating in multiple states, the matrix of notification requirements can be complex: California (Cal. Civ. Code § 1798.29) requires notification in the most expedient time possible; New York (N.Y. Gen. Bus. Law § 899-aa) requires notification in the most expedient time possible and without unreasonable delay; and several states impose hard deadlines of 30, 45, or 60 days. For covered healthcare entities, HIPAA’s 60-day rule applies on top of state requirements.

What is counterintuitive — but well documented in consumer research — is that businesses that notify promptly and transparently tend to fare better in customer retention than those that delay. Customers who receive a timely, clear notification letter that explains what happened, what data was involved, and what the company is doing in response consistently report higher residual trust in the business than customers who learn about a breach from news reports or third parties. The notification is itself a reputation-repair mechanism when executed well.

Class Action and Regulatory Exposure After a Breach

Beyond the reputational damage a data breach causes, businesses face significant legal exposure in the form of class action lawsuits and regulatory enforcement. Plaintiffs’ class action attorneys routinely file suits within days of a high-profile breach announcement, alleging negligence in data security, violation of state consumer protection statutes, and breach of implied contract with customers who entrusted the business with their personal data. Courts have been increasingly receptive to standing arguments based on the heightened risk of identity theft following a breach, even without allegations of concrete financial harm to individual plaintiffs.

State attorneys general have also become more aggressive in investigating data breaches and bringing enforcement actions against companies whose security practices are deemed inadequate. The FTC has authority to bring enforcement actions against businesses that engage in unfair or deceptive practices, including failing to maintain reasonable data security — authority it has used in high-profile actions against companies like LabCorp and Equifax. The combination of class action exposure and regulatory scrutiny makes data breach response a legal emergency, not merely a public relations crisis.

The Communication Strategy: Legal and Practical Guidance

Experienced data breach counsel can help a business develop a notification strategy that satisfies legal requirements while maximizing the reputational benefit of the communication. Key principles include:

• Be specific about what happened. Vague language like “a security incident may have affected some customer data” reads as evasive and erodes trust. Customers deserve to know what types of data were exposed and the approximate timeframe of the incident.
• Explain what the company is doing. Customers want to know that the breach has been contained, that law enforcement has been notified where appropriate, and that the company is implementing measures to prevent recurrence. Concrete steps — a named forensic investigation firm, specific security upgrades, increased employee training — are more credible than generalities.
• Provide actionable guidance. Breach notification letters should include practical steps affected customers can take: monitoring their credit reports, placing a fraud alert or security freeze with the major credit bureaus, and using any free credit monitoring service the company is providing. Many states require notification letters to include this guidance by law.
• Coordinate the legal and communications teams. Notification letters drafted solely by public relations professionals without legal review may fail to meet statutory requirements; letters drafted solely by lawyers without communications input may read as cold and formulaic. The best notifications are collaborative products.

The data breach response attorneys at Revision Legal help businesses navigate every aspect of post-breach legal compliance and customer communication. From drafting compliant multi-state notification letters to responding to regulatory inquiries to defending class action suits, we provide the comprehensive support businesses need to protect their legal interests and rebuild customer trust after a breach. Contact us using the form on this page or call us at 855-473-8474.

Image credt: Free Press/ Free Press Action Fund