Communication with Affected Customers
During incidents that affect customers, transparent, empathetic and timely communication is essential to maintain trust and meet regulatory and contractual obligations.
The Importance of Communication
Security incidents test the relationship with customers. Poorly executed communication can cause lasting reputational damage, while adequate transparency can strengthen trust even during a crisis.
Customers value honesty and speed. Learning about an incident through the media or third parties instead of directly from the company erodes trust irreparably.
When to Communicate
Direct Impact: If customer data was compromised or accessed, notification is imperative - legally (LGPD) and ethically.
Service Disruption: Downtime that affects customer operations requires immediate communication with restoration ETAs.
Potential Exposure: Even without confirmation of data access, if there was a reasonable possibility, proactive communication demonstrates responsibility.
Contractual Obligations: SLAs and enterprise contracts frequently specify notification obligations - review and comply with them rigorously.
Communication Timing
Initial Notification: Communicate as soon as the initial scope is understood, even with limited information. Transparency about uncertainties is better than silence.
Regular Updates: Establish a cadence of updates (e.g., daily) even when there are no significant changes. Silence generates anxiety and speculation.
Final Communication: After resolution, a complete summary with timeline, root cause, actions taken and improvements implemented.
Communication Content
What Happened: A factual description of the incident without excessive technical jargon. Customers want to understand in simple terms.
Which Data Was Affected: Clearly specify which types of data were or may have been compromised. Being specific helps customers assess personal risk.
When It Occurred: Timeline of the incident - when it was detected, the estimated exposure window.
What We Are Doing: Containment, investigation and remediation actions. Demonstrate control and competence.
What Customers Should Do: Practical recommendations - password change, account monitoring, attention to phishing, available support resources.
Point of Contact: A dedicated channel for questions - email, phone, portal. Ensure the capacity to handle the expected volume of inquiries.
Tone and Language
Empathy: Acknowledge legitimate concern and the inconvenience caused. "We understand that this situation causes concern..."
Accountability: Take responsibility without evasive language. "We failed to..." not "mistakes were made".
Clarity: Avoid technical jargon. If technical terms are necessary, explain them in accessible language.
Honesty: Be transparent about what you know and what you are still investigating. Admitting uncertainties generates more credibility than premature certainties.
Communication Channels
Direct Email: For B2B customers or cases with compromised data. Personalized when possible, at least segmented by severity of impact.
Status Portal: A dedicated incident status page accessible publicly or to logged-in customers. Update regularly.
In-App Notification: Notifications within applications or dashboards for immediate visibility.
Website Banner: For high-impact incidents, a prominent banner on the corporate site linking to detailed information.
Social Media: Twitter, LinkedIn for broad reach and public transparency. Requires careful coordination with PR.
Audience Segmentation
Tier 1 - Directly Affected: Customers whose data was confirmed to be compromised. More detailed communication, priority support.
Tier 2 - Potentially Affected: Customers within the scope of affected systems but without confirmation of compromise. Preventive communication.
Tier 3 - General Base: Customers not directly affected but who should be informed for transparency. More general communication.
Customer Support
Prepared Call Center: Train the support team on the incident, FAQs and escalation paths before notifying customers.
Self-Service Resources: Detailed FAQ, step-by-step guides for recommended actions, explanatory videos.
Scaled Capacity: Increase support staffing in anticipation of the volume of contacts. Consider temporary outsourcing if necessary.
Priority Support: Fast-track for enterprise or most affected customers.
Compensation and Gestures
Credit Monitoring: For personal data breaches, offer free credit monitoring (12-24 months).
Service Credits: For significant downtimes, service credits or subscription extensions.
Enhanced Security: Accelerated implementation of additional security features (MFA, advanced alerts) at no cost.
Identity Protection: Identity protection services for severe cases.
Legal Aspects
Legal Review: All external communications should be reviewed by legal counsel before sending to manage litigation risks.
Careful Admissions: Be factual without making broad admissions of negligence or liability that could be used in lawsuits.
Compliance with Regulations: LGPD, GDPR and sector regulations have specific notification requirements - ensure compliance.
Managing Expectations
Realistic Timelines: Do not promise impossible ETAs under pressure. It is better to overestimate and deliver early than to underestimate and disappoint.
Transparency about Uncertainties: "Still investigating X" is better than speculating or giving incorrect information that will need to be corrected.
Acknowledge Impact: Validate customers' frustration and concern without defensiveness.
Post-Incident Communication
Public Post-Mortem: Consider publishing a detailed post-mortem (respecting appropriate confidentiality) demonstrating transparency and learning.
Improvements Implemented: Concretely communicate which improvements were implemented to prevent recurrence.
Follow-Up: Follow-up months later to demonstrate ongoing commitment to security.
Success Metrics
Churn Rate: Percentage of customers who cancel after the incident versus the normal baseline.
NPS/CSAT: Impact on customer satisfaction scores.
Support Volume: Volume of support tickets and average resolution time.
Media Sentiment: Sentiment analysis on social media and press coverage.
Prepared Templates
Prepare templates in advance for different severities and types of incidents:
Data Breach: A specific template for personal data exposure with all the elements required by LGPD.
Service Outage: A template for downtime focused on transparency about the cause and ETA.
Ransomware: A template balancing transparency with considerations of negotiation with attackers.
Final Recommendations
Effective communication with customers during crises is an art that balances transparency, empathy and legal protection. Customers forgive technical errors more easily than a lack of transparency. Organizations that communicate proactively and honestly during crises emerge with strengthened relationships. Advance preparation - templates, processes, training - enables execution under pressure.
