CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters
One security breach, two letters, 11 lessons in the art of telling customers you screwed up. Two PR pros deconstruct the messages that Monster.com and USAJOBS were really giving to customers whose personal information had been disclosed. Part of an in-depth series about disclosing breaches.
February 06, 2008
How do you tell someone you’ve lost something important of his? That’s hard enough. Now how do you tell a million people?
As data breach disclosure laws proliferate--38 states have mandated disclosure, and federal legislation is wending its way through Congress--a flood of data breach disclosure letters follows. How those letters are constructed and what they say can tell us a lot about both massive failures of data protection and how companies are approaching the information security problem.
(Actually, 39 states have mandated disclosure, if you count a law in Oklahoma that applies only to state agency data. For more details, see our interactive map that’s part of this series.)
Disclosure letters are not easy. They require verbal contortionists who must twist words unnaturally and move sentences in awkward, sometimes contradictory directions. Be honest but not to a fault. Provide details but don’t share too many details. Explain what happened but don’t be too technical. Make a form letter empathetic. Raise alarms but express control over the situation. Be responsible without being accountable. Be compassionate but don’t say you’re sorry.
When Monster.com was hacked and personal records of 1.3 million job seekers were exposed, the company faced this very problem. Monster was compelled by law to inform its customers of the incident, and then went on to send a letter to all of its customers. And so did US AJOBS, a federal employment organization that relied on Monster.com databases for its job listings.
Same breach. Starkly different letters.
We’ve put these two letters side by side to show different approaches to the same problem. We then asked two public relations professionals who have taken part in writing disclosure letters (both requested anonymity--we’ll call them Jane and Joan) to scrutinize these two disclosures. Both empathized with Monster’s and US AJOBS’ difficult task. “So many people in the organization get their fingerprints on them,” says Jane. “These letters are just difficult to do well.”
But both looked at line-by-line sentence decisions and the overall spirit of the letters. They had telling insights into word choice, verb tense choice, even how to address and sign them. Their critique is unflinching. “Most of these letters are hard to get through,” says Joan. “By the time you’re done, you don’t know what to make of them.”
The constructive criticism is helpful to anyone who must prepare for the eventuality of a data breach disclosure. Thousands of companies have gone through the process of writing disclosure letters now, and thousands more will in the coming years. They have to write them well. The Ponemon Institute’s national survey on data breach notification shows that consumers tend to blame organizations for failure even if they’re not negatively affected. Read on to learn more about the dos and don’ts of data breach disclosure letters.