We read that Zappos.com was breached on Sunday, to the tune of 24+ million users’ worth of information. But it seems at first blush they responded well. Of course, a company would hope to never have a breach at all, but when it happened at Zappos.com, here are some of the things they appear to have done right.
#1 Notify your customers quickly: It may seem obvious, but more than a few companies that have breaches are slow to admit it. In this case, the Zappos CEO sent out an internal email describing the breach details that were relevant, along with outlining steps they planned on taking to remedy the breach. This was followed by a notification email sent to the users affected.
#2 Reveal the extent of the breach: Zappos.com outlined in the customer notification email the extent of information that may have been compromised, and what appeared to have been safe. They said in their communication The database that stores your critical credit card and other payment data was NOT affected or accessed.
#3 What they’re doing to protect you: Zappos.com outlined specific details about how customers could protect themselves, in this case by changing a password. Even though the passwords that may have been accessed were scrambled , if users changed them quickly, the black market value of the passwords would be significantly reduced. Also, it would hinder further attempts access personal data using the existing passwords.
#4 Tell users where to find more information: They put up a special website to disseminate information as it becomes available. This does two things: 1) established a central clearinghouse for relevant information, and 2) reduced the repetitiveness of the requests their support staff may receive.
#5 Beef up incident response staff: Speaking of support personnel to handle incident management, Zappos asked employees, regardless of department, to assist with offloading the burden of the sheer number of breach-related communication they anticipated receiving in response to the situation.
In short, they handled this better than many. Although the goal would be to never have a breach in the first place, if it happens, there is a crisis of confidence among the customers. Acting quickly and decisively can work wonders toward restoring that confidence, as customers sense they are receiving current, relevant, and honest communication about the incident. Still, restoring confidence can take years, but this style of communication can make things much better. In 2012 we hope to see fewer breaches, but it also may be wise to determine internally how your company would respond to a breach, what you would tell your customers, and what extra staff might you need to handle the extra support involved.
Author Cameron Camp, ESET