Home » Data Protection » PCI and Compliance

CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters

One security breach, two letters, 11 lessons in the art of telling customers you screwed up. Two PR pros deconstruct the messages that Monster.com and USAJOBS were really giving to customers whose personal information had been disclosed. Part of an in-depth series about disclosing breaches.

ut the lawyers and the marketing people probably wouldn’t let a PR person like me get away with that.”

4) We’re a victim, too ...
In the Monster letter, “the second paragraph is tough,” says Jane. “This is where you absolutely have to say what it is and how the reader is impacted.” Instead, says Jane, this paragraph paints Monster as the victim, the “target of malicious activity that involved the illegal downloading of information such as…” This is a passive, wordy way of saying, “We got hacked.” What’s more, the second part of the paragraph flips from passive to active, and tries to make Monster appear in control with verbs like “responded … notified … and shut down.” A close read, however, shows the active verbs are just dressing up vague statements. The response was a “comprehensive review” of procedures--auditing the fire response procedures while a fire is blazing. Also, Monster says “shut down the rogue server,” but it is highly unlikely this is Monster’s doing alone unless the server was an internal one (which we’re not told). More likely, Monster cooperated with ISPs and law enforcement to get that done. Joan is plain about her feelings on this paragraph: “They’re hedging. They’re trying to get credit while being obtuse.” Both say be clear and direct.

5) ... And it’s not just us.
Monster’s letter constantly, almost pathologically reminds the reader that other companies have experienced similar failures. Before we even find out the breach, we learn that “opportunistic criminals” are “increasingly using the Internet” for crime. Then, when describing the possibility that this breach fronts a phishing scheme, a sentence is tacked on, noting, “This has been the case in similar attacks on other websites.” Later we learn how to protect ourselves against those who attacked Monster “as well as other databases.” Jane and Joan are not impressed. “They’re doing everything they can to make the problem bigger than them,” says Jane, thus suggesting its occurrence was out of their control. Jane says she understands the impulse to put the attack in context of the bigger problem, but it probably doesn’t help here, and makes the company appear defensive. Joan worries that this tactic will soon wear thin. For example, in another case, the TJX Companies argued after its systems were breached that its security was similar to data breaches other companies’ and standard industry practice. As time goes on, consumers will grow weary of the “everyone’s doing it” and “it’s out of our control” defenses.

6) Detail versus good detail.
US