How you shouldn’t handle your data breach

So you’ve had a data breach. Don’t worry, it’s not just you. These days it happens to everyone, no matter how large or small your company is. It’s almost inevitable, some might say, and not a case of if but when.

A lot is already out of your control. Whether a hacker broke in and stole customer data or someone on staff left a cloud server exposed without a password, the incident alone is bad enough. But then you’ll also face a stream of headlines, flack from your customers, and endless tweets and social media posts. Trust will invariably suffer, your brand will hurt, and recovery seems like a million miles away.

But as breaches become more commonplace, few companies remember the actual incident itself — or even the number of users or customers affected. No matter what kind of security incident you’re thrown into, what happens afterward is how you will be remembered.

Get it right, you can save face. Get it wrong, and you’ll never live it down. Here’s what not to do when you have a data breach.

Don’t try to cover it up

Two words: Own it.

Full disclosure is as important for your company as it is for your customers. Assuming — as is often the case — that customer data has been stolen, you need to tell your customers. People will need to take proactive measures to protect themselves, like getting new credit cards, changing their passwords, or even deleting their accounts. Companies also have to comply with a range of laws and regulations — from Europe’s GDPR to California’s incoming privacy law and every U.S. state’s data breach notification rules.