CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters
One security breach, two letters, 11 lessons in the art of telling customers you screwed up. Two PR pros deconstruct the messages that Monster.com and USAJOBS were really giving to customers whose personal information had been disclosed. Part of an in-depth series about disclosing breaches.
By Scott Berinato
The Letters
(We’ve provided a small version of the two annotated disclosure letters below. For a larger version, view them in this PDF.)
The Observations
1) Dear Anonymous Faceless Customer.
Both Jane and Joan question the use of the “dear” salutation for a mass mailing. “It’s awkward,” says Jane. “It’s so clearly a mass mailing.” She says it’s essentially an urgent memo to many people, some of whom you don’t know, so treat it that way. A better introduction could be “To Our Customers” or “An Important Message for Our Customers.”
2) A soft opening.
Right away, styles diverge. Monster chooses to soften the coming blow with its first sentence. US AJOBS simply begins stating facts. Jane sees benefits and drawbacks to each. “The first line is the toughest of all,” she says. You want to show that you value customers, but at the same time, the sentence feels roundabout, like hollow marketing spin. On the other hand, US AJOBS’ letter may seem less spun, but it also gets into technical detail right away and could feel like a punch in the jaw, which is offputting. US AJOBS also has the advantage of being able to blame the problem on another brand. If it were their databases, the letter might have started differently.
3) The problem with saying “sorry.”
“Sorry is personal,” says Joan. “Plus, it means you did something wrong.” Regret, on the other hand, sounds somewhat sincere but removes fallibility. Few disclosure letters ever use the word sorry. Both agree this is a legal ploy. “You’re trying to prevent these letters from becoming Exhibit A in a class-action lawsuit,” says Jane. But Jane also understands the use of regret over sorry. “Sorry is not a professional word,” she notes. Also, Jane says, companies could avoid turgid language and running around the issue by explicitly saying why the letter is being written. “I’d really prefer to be able to write, ‘We’re compelled to tell you this by government regulation.’ It’s direct and true. But the lawyers and the marketing people probably wouldn’t let a PR person like me get away with that.”
How to efficiently manage security compliance with PCI DSS and other laws and regulations
GRC: Trying to take a bite out of risk
PCI post-audit pain points
PCI shrugged: Debunking the criticisms
The art of the compensating control
SSAE - replacement for SAS 70 coming
A directory of security-related regs, laws, and guidelines
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Content Analytics Explained
- Modernizing Wireless Infrastructure for Today's Mobile and Data Driven Enterprise
- Best Practices Guide for IT Governance & Compliance
- How to Get Ahead of the Compliance Curve
- Exalogic and PCI Compliance - Implementing Oracle Exalogic in a Payment Card Environment
- CSO's Digital Spotlight on GRC
- Data loss prevention: Refreshing data security to meet an evolving threat environment
- Two-Factor Authentication
- #FFSec: Infosec pros who bring value to Twitter
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - B-Sides Boston is Saturday
- Leaving CSO, Heading to Akamai
More Salted Hash with Bill Brenner
