While reading a lot of breach notification letters on websites over the past year or so, I’ve noticed a great deal of vagueness as companies tend to gloss over the nitty gritty of how credit card numbers or health diagnoses were actually leaked, stolen or lost.
Now there’s hard data to back that up.
The Poneman Institute and Experian Data Breach Resolution combined powers to investigate the consumer side of things. They found that more than 70 percent of people who received breach notification letters were not satisfied with the alerts and wanted more information.
When something goes wrong, a lot of companies don’t want to own up to it in fears of scaring off their customers. But isn’t there at least some level of obligation for businesses to divulge as much information as possible to the very people that trusted and invested in them? Sixty-seven percent of affected consumers surveyed claimed the notifications didn’t provide enough details. And 37 percent said they weren’t even sure what the incident was about.
Sixty-one percent said they had trouble understanding their notification letters. If the goal of improving patient care or customer service is, in fact, consumer-based, shouldn’t we strive to be as transparent as we possibly can be after a breach? Many companies don’t think so. They think avoiding the difficult details and highlighting their remediation tactics will be enough to save face.
[Even the Department of Health and Human Services recently recognized and included a clause in the final HIPAA omnibus rule that mandates breach notifications sent to affected patients or individuals must be written in plain language (164.404, pg. 859). Although this applies to the healthcare industry, all industry should take note and employ this as a best practice.]
But sometimes, as patients and consumers, they deserve more – they deserve to know exactly how a server was hacked, or why their paper records were lost, etc. To me, I can’t see the point of offering a solution when the problem is never fully addressed.
Being completely transparent every step of the way shows true integrity and honesty, even if it seems like a bad PR move, and can actually bolster the image of an organization that is willing to take responsibility for their actions, or lack thereof.
At Online Tech, if we’re doing maintenance or if any disruption in our hosting services to our clients is detected or foreseen, we immediately send out notifications to anyone that might be or has been affected, even it’s not good news, because we believe in complete transparency.
Breach notification clarity and thoroughness shouldn’t just be a checkbox to satisfy legislation, similar to the way compliance requirements shouldn’t take precedence over actual security. People trust you with their personal information – you should give them the full truth in return.
Getting educated on prevention tactics is key to avoiding a data breach. Attend our free webinar on Healthcare Security Vulnerabilities next Tuesday for tips from a security expert. Although this webinar will be geared to the healthcare industry, if your organization stores any sensitive data at all (including customer records, employee records, financial information, intellectual property), this webinar content will be directly applicable.