Customer Letter To C-Suite! How Would You Respond?

The Problem?

2014 can be characterized as the year of the breach. Major brands were hit, massive amounts of data was compromised, reputations tarnished, share prices plummeted and the media started using terms like “Data Breaches—The New Normal”. Normal? Stolen credit cards? Patient data? Customer data? That seems like an oxymoron! Does that mean that customers/clients, patients, etc. should not be concerned when a breach occurs? After all…The Media said that “Breaches are the New Normal”.

Imagine that you received an email from a customer expressing concern about breaches and wanted to know what your organization was doing to protect his/her information. How would you respond?

Concerned Customer: The Question (s)?

Copy of Email From Concerned Customer

TO: Dear Board of Directors/CEO/C-Suite Exec/Owner/Partner:

FROM: Concerned Customer

SUBJECT: Data Breaches

I have been a loyal customer for “x” years. I have become increasingly concerned about my personal information due to number of breaches that have occurred in the last year— Sony is the latest. Although your organization is not as large as some those reported by the media, my concern and question: “If It Can Happen to Them, What About Your Organization?” I have done some research and discovered that some of the breaches could have been prevented or at least minimized. I spoke to one of your employees a few months ago about my concern, I was told that your IT department takes care of that (e.g. breaches). What if the breach is outside the scope of IT or your systems? That shows a lack of knowledge/understanding on the employee’s part.

I have few questions:

  • What has or is your organization doing to protect my information?
  • Have breaches occurred? If yes, what and how?
  • Are you required to contact me if my information is compromised? If yes, How soon?
  • Are your employees trained on how to protect my information?

Thanks in advance!


Concerned Customer

The Response/Solution?

As the saying goes “It Is Easier to Keep a Customer Than to Get a New One”!Acknowledge the customers concern and thank her for raising it.

Provide specific examples of things that are or will be done. The following are examples that can be provided to demonstrate that we hear you and taking action:

Senior Management and Stakeholder Engagement

Involvement, buy-in, engagement and support by the C-Suite and stakeholders is critical. Lack of support and resources could derail the most well intentioned efforts. This will also demonstrate the importance within the organization.

Conduct A Risk Assessment

A risk assessment is an effective tool to diagnose issues within the organization. This can help us identify areas that may compromise customer personal/sensitive information. The risk assessment process should be conducted with some degree of frequency and/or when there is a major change within the organization.

Develop An Action Plan

One of the outputs from the risk assessment should be a prioritized action plan. This will demonstrate that we “know the risks”, we “take them seriously” and we are “taking action” to resolve them. There should be owners and timelines assigned to each action.

Employee Training

Developing a training plan should be one of the outputs to ensure that employees are adequately trained on how to manage/handle sensitive customer information.

Final Thought

As we have seen over the last year, data privacy should not be taken lightly! Failure to plan and implement appropriate controls impacts and causes harm to people.Let’s do the right thing and take care of our customers—we want them to “remain our customers”!


To jump start your planning—-Request Free Risk Assessment Checklist

Contact Us

We’ll make sure your organization is ready for the challenges ahead. Don’t hesitate to CONTACT US for information about how WAM Management Consulting Group can assist with your compliance efforts. We can help you assess and develop a plan that is appropriate for your organization!

Bio you

Miranda Alfonso-Williams, CIPP/US, CIPP/E, CIPM, CIPT, is a data privacy and cyber/data breach insurance specialist. She is currently a Management Consultant for the WAM Consulting Group. Miranda helps her clients develop privacy programs. She also provides training, virtual consulting and auditing. She is board certified in Privacy and holds an MBA from the University of Phoenix. Miranda has over twenty years of experience working with major corporations including GE Healthcare, Amersham Health, Nycomed and Sterling Drug. She has specialized in developing global programs and working with cross functional team. Miranda can be reached

**********************************************************************************************Ifyou liked this post, please hit the “follow” button at the top of the page so I can continue to write and share with you on a variety of topics.

Your source for trends in data privacy

Posted in Data Privacy

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog Stats
  • 182 hits
Follow Privacy Beat on

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 16 other followers

%d bloggers like this: