Home » Data Protection » PCI and Compliance

CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters

One security breach, two letters, 11 lessons in the art of telling customers you screwed up. Two PR pros deconstruct the messages that Monster.com and USAJOBS were really giving to customers whose personal information had been disclosed. Part of an in-depth series about disclosing breaches.

February 06, 2008 — CSO — How do you tell someone you’ve lost something important of his? That’s hard enough. Now how do you tell a million people?

As data breach disclosure laws proliferate--38 states have mandated disclosure, and federal legislation is wending its way through Congress--a flood of data breach disclosure letters follows. How those letters are constructed and what they say can tell us a lot about both massive failures of data protection and how companies are approaching the information security problem.

(Actually, 39 states have mandated disclosure, if you count a law in Oklahoma that applies only to state agency data. For more details, see our interactive map that’s part of this series.)

Disclosure letters are not easy. They require verbal contortionists who must twist words unnaturally and move sentences in awkward, sometimes contradictory directions. Be honest but not to a fault. Provide details but don’t share too many details. Explain what happened but don’t be too technical. Make a form letter empathetic. Raise alarms but express control over the situation. Be responsible without being accountable. Be compassionate but don’t say you’re sorry.

When Monster.com was hacked and personal records of 1.3 million job seekers were exposed, the company faced this very problem. Monster was compelled by law to inform its customers of the incident, and then went on to send a letter to all of its customers. And so did US AJOBS, a federal employment organization that relied on Monster.com databases for its job listings.

Same breach. Starkly different letters.

We’ve put these two letters side by side to show different approaches to the same problem. We then asked two public relations professionals who have taken part in writing disclosure letters (both requested anonymity--we’ll call them Jane and Joan) to scrutinize these two disclosures. Both empathized with Monster’s and US AJOBS’ difficult task. “So many people in the organization get their fingerprints on them,” says Jane. “These letters are just difficult to do well.”

But both looked at line-by-line sentence decisions and the overall spirit of the letters. They had telling insights into word choice, verb tense choice, even how to address and sign them. Their critique is unflinching. “Most of these letters are hard to get through,” says Joan. “By the time you’re done, you don’t know what to make of them.”

The constructive criticism is helpful to anyone who must prepare for the eventuality of a data breach disclosure. Thousands of companies have gone through the process of