In Depth
CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters
One security breach, two letters, 11 lessons in the art of telling customers you screwed up. Two PR pros deconstruct the messages that Monster.com and USAJOBS were really giving to customers whose personal information had been disclosed. Part of an in-depth series about disclosing breaches.
By Scott Berinato
AJOBS’ exposition of facts is clearer. For example, US AJOBS states clearly that no Social Security numbers were compromised because of safeguards the organization had in place. Monster’s letter doesn’t mention SSN s, begging questions: Were Social Security numbers affected? Did Monster not have the same safeguards? Even stronger, US AJOBS starts its explanatory paragraph with a smart, easy-to-understand detail: A legitimate account at a private company was compromised to gain access. Monster never mentions this. The more specific and clear the detail, the better. Vague detail about “malicious activity that involved the illegal downloading” only confuses and creates an air of obfuscation.
7) Lots of fingerprints.
How many people end up reviewing, adding to, altering or otherwise getting their fingerprints all over a disclosure letter? Try dozens, says Jane. She tried to recall all of the stakeholders who reviewed letters she had written: “Communications, marketing, IT, information security subject matter experts, legal, the CIO, the head of customer service, the CEO (of course), and then his personal writer, and sometimes the board.”
8) Sincerely, The Company.
Jane objects to the use of The Company in the Monster letter, especially in conjunction with other elements. Combine that with the Dear salutation at the top, “you’re a valued customer” language and the CEO ’s signature at the bottom, and she says, “We’re getting mixed messages here.” In other words, it tries to be a letter from the CEO , a mass-mailed memo and a legal document all at the same time. The Company is especially problematic, as it creates a sense the company has lawyered this thing up. That may be the case, but to consumers, it undermines the personal messages about valuing the customer and creates the notion the company cares mostly about covering its butt.
9) Bold statements.
Both letters include bolded text. US AJOBS’ bolded text seems smart: It includes specific and forceful language that the company will “NEVE R” request personal information from an unsolicited e-mail. But the placement of the bold text threatens to draw eyes right past all of the excellent factual information above it. It is further muddied by a confusing parenthetical trying to back into a definition of unsolicited e-mail. Monster, on the other hand, ends with a bold statement that simply invites the reader to learn more and links to a comprehensive explanation of phishing and other online fraud. In this material, separate from t
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
