Home » Data Protection » PCI and Compliance

CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters

One security breach, two letters, 11 lessons in the art of telling customers you screwed up. Two PR pros deconstruct the messages that Monster.com and USAJOBS were really giving to customers whose personal information had been disclosed. Part of an in-depth series about disclosing breaches.

he letter, Monster also notes it will never ask for personal information via unsolicited e-mail. Both tactics have advantages. US AJOBS is being clear but brief in the letter, which may cause people to ignore other, unbolded information. Monster is being clear but comprehensive with attached documentation that may be ignored as too much information.

10) Transferred risk.
Another common theme of disclosure letters is to remind users that it’s their fault, too. For, the argument goes, if they surfed more responsibly and didn’t fall for schemes, this would be less of a problem. This is risk transference. Make the customer protect the data, too, and that way the customer who fails to do so is also at fault for the loss. Monster does not say in what ways, besides a comprehensive audit, it is improving its security. The company vaguely mentions it has “launched a series of initiatives” but never mentions one of them. Jane and Joan don’t like this but understand the information may be too technical or sensitive to release. Customers are given a website to “educate you about online fraud” and the company “invite[s] you to keep reading to learn more about how to use the Internet safely.” US AJOBS is terser, but to similar ends. “We ask you to remain alert for counterfeit phishing…” and “Please also be on the alert for fraudulent e-mail…” On the one side, it never hurts to raise awareness of these problems. Education is good. On the other side, the database was hacked, which has virtually nothing to do with end-user behavior and everything to do with a vulnerable corporate network. Savvy consumers will see this transference for the red herring it appears to be. Phishing wouldn’t be a problem if the criminals hadn’t gained access to the e-mail addresses to phish in the first place. Still, companies continue to tell consumers what they need to do to protect themselves because, as Joan says, consumers don’t push back on this point. “We seem to be at a point in society where people expect that risk to be passed on. They will probably get away with that.” However, that tactic is likely to wear thin as consumers get more disclosure letters.

11) The contextless threat.
One of the hardest challenges of disclosure letters is the lack of context for what the breach means. The mere fact a letter has been sent naturally raises a consumer’s conce