Victim of a Cyber Attack? What You Should Tell Customers


It seems like every day consumers are learning of data breeches from companies like Sega, Sony and Google. Major corporations like these tend to have the funds and resources to recover from an attack, but for small businesses, that’s often not the case.

A slow response and lack of communication with customers are among the missteps many small businesses make when facing an attack, both of which can cause irreparable damage to the business.

“When consumers are a victim of ID fraud based on interaction with a small business, 1 in 3 never come back,” said Phil Blank, senior analyst for security and fraud at Javelin Strategy & Research.

While data breaches hitting major banks and corporations tend to dominate headlines, small businesses are increasingly becoming targets. Hackers like to prey on small businesses because computers and mobile phones tend to be used for both work and personal use, and many small businesses don’t have an IT staff monitoring and protecting operations.

According to Javelin, small business fraud totaled $8 billion in 2010. Of that, banks, merchants and other providers absorbed $5.43 billion of the loss while the cost to victims was $2.61 billion.

Although the first line of defense against an attack is to have proper procedures and policies in place, if it does happen, there are steps that need to be taken immediately to mitigate the impact. The experts advise owners’ first step should be to communicate with customers quickly.

“You don’t have a large amount of time between a hack and when you tell a client,” said Blank at Javelin. That doesn’t mean you have to tell clients within a day of it happening, but you shouldn’t wait a couple of months either. Blank said customers should be notified within a week of the hack. “If people know within a week they have the ability to do something about it.”

To ensure the small business is communicating correctly to the customers, John Sileo, founder of and a professional identity theft speaker, said a small business owner should get professional help, whether it’s a privacy lawyer or a company that deals with data breach responses.

Each state has different laws and regulations pertaining to data breaches and a data breach company will be well versed in the rules governing the states. “This is too big for a small business to handle internally,” said Sileo. “They could end up making some legal choices without knowing it that can get them in hot water.”

Act to Show Goodwill

Once a small business has communicated the problem to customers, it has to show it is taking steps to help clients prevent having their identity and personal data comprised. To do that, Blank of Javelin said small businesses have to offer clients at least one year of credit protection and monitoring for free. Giving free credit monitoring and protection will reassure customers and make them feel more comfortable that the business is being proactive. “It’s really important for the small business owner to reach out multiple times to their clients because they don’t want to lose one third of the business,” said Blank.

Sileo noted that setting up a hotline to allow customers to ask questions and get answers will also go a long way in building back goodwill. Clients want to know what happened, how they are being protected and what is being done to fix the situation, he said.

Let Customers Know How the Problem Was Fixed

Small businesses need to be vocal about how the problem is being resolved. By being upfront with customers, it will build confidence that the business is taking the situation seriously and is taking steps from preventing it from happening in the future.

“It’s really important that the business gets professional help in terms of why they were hacked and what they need to do to make sure it doesn’t happen again,” said Javelin’s Blank. “Often  consumers allow some amount of understanding. If a breach happens more than once they lose total credibility.”