Security breaches, no longer aberrations, need their own customer journeys
Especially with the tight turnarounds mandated by GDPR and others, brands need to plan the steps for communicating with, and retaining, their customers.
If you thought a theft of customer data was a marketing nightmare before the new General Data Protection Regulation (GDPR), it’s time to wake up.
Under GDPR regulations for companies handling the personal data of EU citizens, companies must identify the breach, find out which individuals have been impacted and notify them — all within a 72-hour period.
But those three days probably seem like a luxurious vacation to banks in India, according to Ted Bardusch, chief information security officer of customer engagement hub Usermind.
Two years ago, The Reserve Bank of India decreed that any banks suffering a security breach must report it in no more than six hours.
Whatever the actual number of hours in your jurisdiction, the trend is clear. The length of time that companies have to publicly respond to a security breach is getting shorter and shorter.
Aside from better security measures, Bardusch suggests that brands should now extend customer journeys past their end zone of a loyalty or brand advocate stage and into a set of steps to handle customer interactions during a security breach. Obviously, the more planning a brand does beforehand, the faster it can respond.
Bardusch’s employer, Usermind, builds its customer engagement solution around customer journeys. But, unlike the maps that take a customer through product awareness, comparison, testing, purchase and loyalty, to name some common steps, this extended journey has a different purpose. It is intended to reassure the customer, allay some of her fears and keep her as a customer.
A good place to start, Bardusch told me recently, is before the breach ever happens. You plan out the extended journey, beginning with steps that teach your customers about maintaining the security of their data, such as password choice or periodic resetting, assurances by the brand that it would never ask for passwords via phone or email, and the adoption of two-factor authentication, if offered.
Not just ‘a collection of reactions’
When a breach has occurred, the brand hopefully has in place a prearranged and companywide security response that includes an immediate audit of which customers are affected, and to what extent.
Once the impact is assessed, it’s now time to implement the security breach part of the newly extended journey. Prewritten communications — possibly including previously recorded video — must be modified immediately to accurately convey the current situation.
Like the steps leading someone to make a purchase, this part of the customer journey similarly requires clarity and honesty. Obfuscation or misleading assurances will only damage the relationship further.
But the response “shouldn’t just be a collection of reactions,” Bardusch said, as marketers must realize this part of the journey can be quite emotional for the customer. As in any customer journey, there needs to be a map of touch points with the customer that has a specific set of reinforcing goals, such as an apology “that makes an impression” because it is tailored to the individual in question.
A gold customer, for instance, may receive an apology that acknowledges the long-term relationship and offers more compensation — such as additional loyalty points or discounts — than a brand new customer might receive. Other steps, for any customer, might offer such things as access to tools for checking if the security breach has affected the customer’s credit rating and for correcting the error.
The key is letting the customer know that the brand understands the seriousness of the breach, assuring the customer of steps you are taking to restore confidence and to continue the customer’s engagement.
Bardusch pointed out that, until the breach is satisfactorily resolved and there is a sense that customers’ confidence and engagement is on the way to normalcy, marketers should “pause all other marketing messages to the impacted customers.”
Security breaches have become a fact of corporate life, and they are now compounded by the increasingly stringent requirements for quick recovery. This means that customer journeys, which previously ended somewhere around loyalty programs, now need extensions providing a clear plan for helping customers through these additional steps: awareness, anger, understanding, reassurance of control and, hopefully, continued loyalty.