Letting Customers Chase Your Thieves Gets Something More Valuable Than A Nabbed Thief: A Loyal and Happy CustomerWritten by Mark Rasch
Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
Do you need help tracking down the cyberthieves who periodically attack? Maybe you do, maybe you don’t. But if you set up a mechanism to let your customers try and help, you might get something much more valuable than a captured thief: lots of happy and loyal customers. Sound strange? It is. But it’s also true.
Consider this true story: About a week ago, my wife’s E-mail provider notified her that she was a baaaaad girl. Apparently she had sent out a bunch of spam in violation of the Terms of Service. Of course, it wasn’t her, and I notified the provider of this fact. Fine. End of story, right? I think not. What happened next, or more accurately what didn’t happen next, is a cautionary tale about the nature of the relationships between IT vendors and customers (like merchants) and the relationships between merchants and their customers.
It also presents an opportunity for merchants, ISPs and others to enlist the help of their customers with respect to data breaches, vulnerabilities and other incidents and to not look at them as merely passive “victims.” If you have a little faith in your customers, you can empower them to help you with inquiries and, effectively, crowdsource your data breach investigation.
Typical consumer notifications contain both bare-bones and boilerplate information about the nature and scope of the breach and response. You know: “Dear customer, We have discovered that on (insert date here) we suffered a breach which may (or may not) have compromised your (insert nature of information here). We have been cooperating with law enforcement and do not believe that your information is at risk, but we are providing the number of the three credit reporting agencies in case you feel like overreacting and panicking…” Or something like that.
In fact, on September 1, California Governor Jerry Brown signed SB24 into law which, like laws in several other states, mandates that data-breach notifications include information like the date of the breach, a general description of the breach incident (if that information is possible to determine at the time the notice is provided) and information about what has been done or what can be done to minimize harm resulting from the breach. Stuff you should be including in the breach notifications anyway.
But none of these things helps the consumer help you, except to the extent that they mitigate harm. They don’t help you find and prosecute the bad guys. And as the recipient of several of these notices, I want to find the bad guys. So do many of your customers. So why not let them help you?