In Depth
CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters
One security breach, two letters, 11 lessons in the art of telling customers you screwed up. Two PR pros deconstruct the messages that Monster.com and USAJOBS were really giving to customers whose personal information had been disclosed. Part of an in-depth series about disclosing breaches.
By Scott Berinato
writing disclosure letters now, and thousands more will in the coming years. They have to write them well. The Ponemon Institute’s national survey on data breach notification shows that consumers tend to blame organizations for failure even if they’re not negatively affected. Read on to learn more about the dos and don’ts of data breach disclosure letters.
The Letters
(We’ve provided a small version of the two annotated disclosure letters below. For a larger version, view them in this PDF.)
The Observations
1) Dear Anonymous Faceless Customer.
Both Jane and Joan question the use of the “dear” salutation for a mass mailing. “It’s awkward,” says Jane. “It’s so clearly a mass mailing.” She says it’s essentially an urgent memo to many people, some of whom you don’t know, so treat it that way. A better introduction could be “To Our Customers” or “An Important Message for Our Customers.”
2) A soft opening.
Right away, styles diverge. Monster chooses to soften the coming blow with its first sentence. US AJOBS simply begins stating facts. Jane sees benefits and drawbacks to each. “The first line is the toughest of all,” she says. You want to show that you value customers, but at the same time, the sentence feels roundabout, like hollow marketing spin. On the other hand, US AJOBS’ letter may seem less spun, but it also gets into technical detail right away and could feel like a punch in the jaw, which is offputting. US AJOBS also has the advantage of being able to blame the problem on another brand. If it were their databases, the letter might have started differently.
3) The problem with saying “sorry.”
“Sorry is personal,” says Joan. “Plus, it means you did something wrong.” Regret, on the other hand, sounds somewhat sincere but removes fallibility. Few disclosure letters ever use the word sorry. Both agree this is a legal ploy. “You’re trying to prevent these letters from becoming Exhibit A in a class-action lawsuit,” says Jane. But Jane also understands the use of regret over sorry. “Sorry is not a professional word,” she notes. Also, Jane says, companies could avoid turgid language and running around the issue by explicitly saying why the letter is being written. “I’d really prefer to be able to write, ‘We’re compelled to tell you this by government regulation.’ It’s direct and true. B
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
