How to Talk to Your Customers About the Heartbleed Bug

If your brand has an e-commerce website, you might have experienced a few heart palpitations of your own last week when you found out about the Heartbleed Bug. The lists of sites that have been breached by the bug gets longer each day, making it apparent that it will be a while before the full impact of Heartbleed is felt. Mashable is calling the bug the “Internet’s First Security Superstar” with Editor-At-Large Lance Ulanoff asking if Heartbleed “is the first Internet Bug with it’s own website?”. Codenomicon, the Finnish company that tests various technologies for robustness, discovered and outed Heartbleed and quickly set up the site www.heartbleed.com to address consumer and industry concerns about the bug. The site contains a wealth of information about Heartbleed, written in a style that’s easy for non-techies to understand.

While it’s always difficult to talk to customers about security vulnerabilities, this crisis actually presents an opportunity to build trust with the consumer. By addressing the issue proactively, we demonstrate that our brands truly care about customers’ data. Maybe you’ve already provided information on the bug and whether it has affected your site. But now let’s look at how we can now enhance and optimize the message for week two and beyond.

What to Say

1. In non-techie terms, briefly explain what the Heartbleed bug is. After a sentence or two briefing, feel free to link to sites where the user can get more detailed info (www.heartbleed.com is a good option).

2. Transparency is one of the key components to building trust. Clearly state your site’s exposure (e.g. affected, not affected). If your site was affected, briefly explain what your team did to fix the problem (patches, implemented reissued security certificate). Avoid getting too technical but go into a bit more detail than a generic “we fixed the problem” message.

3. Assure your customers that the security flaw has been remedied. Advise them as to whether they should change their password for any accounts they may have set up on your site. Of course, if your site was affected, you should require that your customers change their passwords on their next login.

4. Invite them to use one of the online tools to test your site, as well as other sites they visit, for the vulnerability. Some of the best tools for this include:

http://filippo.io/Heartbleed/

https://www.ssllabs.com/ssltest/

http://heartbleed.criticalwatch.com/

Communicating these four points will go a long way towards building (or rebuilding) trust with your brand. But there’s one more thing I’d like you to consider doing. Allow the Heartbleed crisis to serve as the impetus to begin educating your customers about internet security. Given that the most common password is “123456” followed closely by “password”, the Heartbleed bug may not even be the biggest threat to consumer security.

Consider the trust that can be fostered by offering your customers tips and advice they can use to be safer, not just on your site, but across the web. By making it a year-round initiative (perhaps with a permanent internet security FAQ page or microsite sponsored by your brand) you can express your ongoing care and concern for your customers.

We’d like to hear some of your brand’s challenges in addressing the issue. Please click “Share Your Thoughts” below.