Customer-facing communication following a breach is a critical component of incident response and the first step in reassuring consumers that your organization is handling the incident appropriately. Botch the response, and you’ll never be able to regain customer trust. Nail the response, and you have an opportunity to not only regain their trust but also strengthen the relationship.
OPM communicated publicly that it would be sending all notifications from a specific email address: “firstname.lastname@example.org”. The notification wasn’t a bad thing in itself. However, OPM and CSID made a couple of key mistakes:
› First, they used a third-party domain, csid.com, rather than their own. This is confusing for the people being notified, who
don’t understand the relationship of CSID to OPM. It opens the door for other, similar third-party domains to make similar
claims of being authorized.
› Second, and even more critical: the address was not secure.Anyone could send emails claiming to be from it, and the
recipients couldn’t tell the difference. So, in effect, they told the criminals exactly what address to spoof to be as effective as possible.
›Keep it simple:
Choose one, simple, easily communicated email address for breach notification. Use a primary brand domain and a short email address, e.g. email@example.com that is easy for your customers to recognize and remember. Use the same, simple domain as the destination URL for the customer
call to action and avoid any embedded links. We strongly advise against using third-party domains or sub-domains, as they will introduce confusion that criminals will exploit.
›make it clear:
How you will direct them to take advantage of any offers, specifically that you will provide URLs but never ask them to click a link in the email
›Turn on Dmarc for visibility and protection:
Gain visibility into current email traffic on the target domain now, then bring it to a protected status to lock the phishers out and assure that only you can send to your customers. Enterprises also need to publicly disclose the breach and start notifying clients. It is during this period that email
becomes key to every data breach notification plan, and should include steps to ensure a secure and authenticated email channel to communicate through.
›identify secure vs. insecure email addresses:
Configure your email sending software to deliver important information only to recipient email domains that validate DMARC, and thus are secure. A list of secure domains—covering the vast majority of consumer inboxes in the U.S. and much of Europe—is available at DMARC-ISPs
›use web, press, and social to communicate the plan:
Theseone-to-many channels are great for setting expectations of what and to whom you’ll be communicating personalized information via email. Include:
•When and from which email address you will communicate
•Which email domains you will send to and why (it’s secure!),
and make it clear that no other domains will receive email
•Set expectations for the content in the emails
•Clarify how you will direct them to take advantage of any offers, specifying that you will provide URLs but never ask them to click a link in the email
›Take credit for your readiness:
Regularly update and test your email notification process end-to-end, using the opportunity to
tell customers what you’re doing to help keep them secure.
For more information about DMARC