Egghead.com faced a nightmare before Christmas when, on Dec. 18, executives at the online technology retailer discovered that a hacker had accessed its computer systems. To make matters worse, within the first 24 hours they found out that the compromised systems included the databases that hold customer credit card information.
Egghead.com CEO and President Jeff Sheahan quickly made a decision: To head off attempts at fraud, he would share the bad tidings with customers and key partners. By the end of that week, the e-tailer had sent e-mail from Sheahan to 3.3 million past and present customers and issued a press release that prompted news stories nationwide.
It was one of the few and most notable examples to date of a company informing customers soon after an Internet security breach. But the experiences of Egghead.com and others that have gone public about security lapses offer valuable lessons for e-businesses.
As online consumers become more concerned about security and privacy issues and as new privacy laws go into effect, most e-businesses should decide in advance when and how to communicate with customers and business partners when a security breakdown occurs, experts say. Online businesses should be careful not to overreact by issuing public statements that could serve to expose them to more break-ins. But, experts say, in cases where customer informationâ€"whether credit card numbers, addresses or other recordsâ€"is exposed, companies have a responsibility to tell their customers.
If no customer information is compromised, or companies aren't sure of the exposure, the appropriate response is murkier. Above all, e-businesses can't ignore the issue any longer and must develop policies and procedures for communicating security breaches to customers.
"As a rule, [companies] really don't want this information to get out," said Fred Rica, a partner in global risk management solutions for PricewaterhouseCoopers. "They're afraid of eroding customer confidence and afraid that other people may try to exploit that security breach again."
