When responding to a data breach, the company has two primary objectives that must be balanced: (1) complying with the legal notification and remediation requirements; and (2) preserving its relationship with its customers. In my opinion, the second is always the most important because if the business fails, we too have failed.
In order to focus on preserving its relationship with its customers, the business must put itself in the customer’s shoes and ask how the customer would feel upon receiving its communications. The article below looks at Target’s breach notification email and explains how something as simple as the choice of domain for the email address can impact customer confidence and perception.
James Lyne, global head of security for Sophos, received an email from Target—although he claims that he is not even a Target customer. There are apparently many people receiving breach notification emails from Target who did not shop at Target and are not affected by the breach.
Lyne dissected the email in a post on Forbes, breaking down point by point all the ways Target failed.