CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters
One security breach, two letters, 11 lessons in the art of telling customers you screwed up. Two PR pros deconstruct the messages that Monster.com and USAJOBS were really giving to customers whose personal information had been disclosed. Part of an in-depth series about disclosing breaches.
(We’ve provided a small version of the two annotated disclosure letters below. For a larger version, view them in this PDF.)
1) Dear Anonymous Faceless Customer.
Both Jane and Joan question the use of the “dear” salutation for a mass mailing. “It’s awkward,” says Jane. “It’s so clearly a mass mailing.” She says it’s essentially an urgent memo to many people, some of whom you don’t know, so treat it that way. A better introduction could be “To Our Customers” or “An Important Message for Our Customers.”
2) A soft opening.
Right away, styles diverge. Monster chooses to soften the coming blow with its first sentence. US AJOBS simply begins stating facts. Jane sees benefits and drawbacks to each. “The first line is the toughest of all,” she says. You want to show that you value customers, but at the same time, the sentence feels roundabout, like hollow marketing spin. On the other hand, US AJOBS’ letter may seem less spun, but it also gets into technical detail right away and could feel like a punch in the jaw, which is offputting. US AJOBS also has the advantage of being able to blame the problem on another brand. If it were their databases, the letter might have started differently.
3) The problem with saying “sorry.”
“Sorry is personal,” says Joan. “Plus, it means you did something wrong.” Regret, on the other hand, sounds somewhat sincere but removes fallibility. Few disclosure letters ever use the word sorry. Both agree this is a legal ploy. “You’re trying to prevent these letters from becoming Exhibit A in a class-action lawsuit,” says Jane. But Jane also understands the use of regret over sorry. “Sorry is not a professional word,” she notes. Also, Jane says, companies could avoid turgid language and running around the issue by explicitly saying why the letter is being written. “I’d really prefer to be able to write, ‘We’re compelled to tell you this by government regulation.’ It’s direct and true. But the lawyers and the marketing people probably wouldn’t let a PR person like me get away with that.”