How do you tell someone you’ve lost something important of his? That’s hard enough. Now how do you tell a million people?
As data breach disclosure laws proliferate--38 states have mandated disclosure, and federal legislation is wending its way through Congress--a flood of data breach disclosure letters follows. How those letters are constructed and what they say can tell us a lot about both massive failures of data protection and how companies are approaching the information security problem.
(Actually, 39 states have mandated disclosure, if you count a law in Oklahoma that applies only to state agency data. For more details, see our interactive map that’s part of this series.)
Disclosure letters are not easy. They require verbal contortionists who must twist words unnaturally and move sentences in awkward, sometimes contradictory directions. Be honest but not to a fault. Provide details but don’t share too many details. Explain what happened but don’t be too technical. Make a form letter empathetic. Raise alarms but express control over the situation. Be responsible without being accountable. Be compassionate but don’t say you’re sorry.
When Monster.com was hacked and personal records of 1.3 million job seekers were exposed, the company faced this very problem. Monster was compelled by law to inform its customers of the incident, and then went on to send a letter to all of its customers. And so did US AJOBS, a federal employment organization that relied on Monster.com databases for its job listings.
Same breach. Starkly different letters.
We’ve put these two letters side by side to show different approaches to the same problem. We then asked two public relations professionals who have taken part in writing disclosure letters (both requested anonymity--we’ll call them Jane and Joan) to scrutinize these two disclosures. Both empathized with Monster’s and US AJOBS’ difficult task. “So many people in the organization get their fingerprints on them,” says Jane. “These letters are just difficult to do well.”
But both looked at line-by-line sentence decisions and the overall spirit of the letters. They had telling insights into word choice, verb tense choice, even how to address and sign them. Their critique is unflinching. “Most of these letters are hard to get through,” says Joan. “By the time you’re done, you don’t know what to make of them.”
The constructive criticism is helpful to anyone who must prepare for the eventuality of a data breach disclosure. Thousands of companies have gone through the process of writing disclosure letters now, and thousands more will in the coming years. They have to write them well. The Ponemon Institute’s national survey on data breach notification shows that consumers tend to blame organizations for failure even if they’re not negatively affected. Read on to learn more about the dos and don’ts of data breach disclosure letters.
The Letters
(We’ve provided a small version of the two annotated disclosure letters below. For a larger version, view them in this PDF.)
The Observations
1) Dear Anonymous Faceless Customer.
Both Jane and Joan question the use of the “dear” salutation for a mass mailing. “It’s awkward,” says Jane. “It’s so clearly a mass mailing.” She says it’s essentially an urgent memo to many people, some of whom you don’t know, so treat it that way. A better introduction could be “To Our Customers” or “An Important Message for Our Customers.”
2) A soft opening.
Right away, styles diverge. Monster chooses to soften the coming blow with its first sentence. US AJOBS simply begins stating facts. Jane sees benefits and drawbacks to each. “The first line is the toughest of all,” she says. You want to show that you value customers, but at the same time, the sentence feels roundabout, like hollow marketing spin. On the other hand, US AJOBS’ letter may seem less spun, but it also gets into technical detail right away and could feel like a punch in the jaw, which is offputting. US AJOBS also has the advantage of being able to blame the problem on another brand. If it were their databases, the letter might have started differently.
3) The problem with saying “sorry.”
“Sorry is personal,” says Joan. “Plus, it means you did something wrong.” Regret, on the other hand, sounds somewhat sincere but removes fallibility. Few disclosure letters ever use the word sorry. Both agree this is a legal ploy. “You’re trying to prevent these letters from becoming Exhibit A in a class-action lawsuit,” says Jane. But Jane also understands the use of regret over sorry. “Sorry is not a professional word,” she notes. Also, Jane says, companies could avoid turgid language and running around the issue by explicitly saying why the letter is being written. “I’d really prefer to be able to write, ‘We’re compelled to tell you this by government regulation.’ It’s direct and true. But the lawyers and the marketing people probably wouldn’t let a PR person like me get away with that.”
4) We’re a victim, too ...
In the Monster letter, “the second paragraph is tough,” says Jane. “This is where you absolutely have to say what it is and how the reader is impacted.” Instead, says Jane, this paragraph paints Monster as the victim, the “target of malicious activity that involved the illegal downloading of information such as…” This is a passive, wordy way of saying, “We got hacked.” What’s more, the second part of the paragraph flips from passive to active, and tries to make Monster appear in control with verbs like “responded … notified … and shut down.” A close read, however, shows the active verbs are just dressing up vague statements. The response was a “comprehensive review” of procedures--auditing the fire response procedures while a fire is blazing. Also, Monster says “shut down the rogue server,” but it is highly unlikely this is Monster’s doing alone unless the server was an internal one (which we’re not told). More likely, Monster cooperated with ISPs and law enforcement to get that done. Joan is plain about her feelings on this paragraph: “They’re hedging. They’re trying to get credit while being obtuse.” Both say be clear and direct.
5) ... And it’s not just us.
Monster’s letter constantly, almost pathologically reminds the reader that other companies have experienced similar failures. Before we even find out the breach, we learn that “opportunistic criminals” are “increasingly using the Internet” for crime. Then, when describing the possibility that this breach fronts a phishing scheme, a sentence is tacked on, noting, “This has been the case in similar attacks on other websites.” Later we learn how to protect ourselves against those who attacked Monster “as well as other databases.” Jane and Joan are not impressed. “They’re doing everything they can to make the problem bigger than them,” says Jane, thus suggesting its occurrence was out of their control. Jane says she understands the impulse to put the attack in context of the bigger problem, but it probably doesn’t help here, and makes the company appear defensive. Joan worries that this tactic will soon wear thin. For example, in another case, the TJX Companies argued after its systems were breached that its security was similar to data breaches other companies’ and standard industry practice. As time goes on, consumers will grow weary of the “everyone’s doing it” and “it’s out of our control” defenses.
6) Detail versus good detail.
US AJOBS’ exposition of facts is clearer. For example, US AJOBS states clearly that no Social Security numbers were compromised because of safeguards the organization had in place. Monster’s letter doesn’t mention SSN s, begging questions: Were Social Security numbers affected? Did Monster not have the same safeguards? Even stronger, US AJOBS starts its explanatory paragraph with a smart, easy-to-understand detail: A legitimate account at a private company was compromised to gain access. Monster never mentions this. The more specific and clear the detail, the better. Vague detail about “malicious activity that involved the illegal downloading” only confuses and creates an air of obfuscation.
7) Lots of fingerprints.
How many people end up reviewing, adding to, altering or otherwise getting their fingerprints all over a disclosure letter? Try dozens, says Jane. She tried to recall all of the stakeholders who reviewed letters she had written: “Communications, marketing, IT, information security subject matter experts, legal, the CIO, the head of customer service, the CEO (of course), and then his personal writer, and sometimes the board.”
8) Sincerely, The Company.
Jane objects to the use of The Company in the Monster letter, especially in conjunction with other elements. Combine that with the Dear salutation at the top, “you’re a valued customer” language and the CEO ’s signature at the bottom, and she says, “We’re getting mixed messages here.” In other words, it tries to be a letter from the CEO , a mass-mailed memo and a legal document all at the same time. The Company is especially problematic, as it creates a sense the company has lawyered this thing up. That may be the case, but to consumers, it undermines the personal messages about valuing the customer and creates the notion the company cares mostly about covering its butt.
9) Bold statements.
Both letters include bolded text. US AJOBS’ bolded text seems smart: It includes specific and forceful language that the company will “NEVE R” request personal information from an unsolicited e-mail. But the placement of the bold text threatens to draw eyes right past all of the excellent factual information above it. It is further muddied by a confusing parenthetical trying to back into a definition of unsolicited e-mail. Monster, on the other hand, ends with a bold statement that simply invites the reader to learn more and links to a comprehensive explanation of phishing and other online fraud. In this material, separate from the letter, Monster also notes it will never ask for personal information via unsolicited e-mail. Both tactics have advantages. US AJOBS is being clear but brief in the letter, which may cause people to ignore other, unbolded information. Monster is being clear but comprehensive with attached documentation that may be ignored as too much information.
10) Transferred risk.
Another common theme of disclosure letters is to remind users that it’s their fault, too. For, the argument goes, if they surfed more responsibly and didn’t fall for schemes, this would be less of a problem. This is risk transference. Make the customer protect the data, too, and that way the customer who fails to do so is also at fault for the loss. Monster does not say in what ways, besides a comprehensive audit, it is improving its security. The company vaguely mentions it has “launched a series of initiatives” but never mentions one of them. Jane and Joan don’t like this but understand the information may be too technical or sensitive to release. Customers are given a website to “educate you about online fraud” and the company “invite[s] you to keep reading to learn more about how to use the Internet safely.” US AJOBS is terser, but to similar ends. “We ask you to remain alert for counterfeit phishing…” and “Please also be on the alert for fraudulent e-mail…” On the one side, it never hurts to raise awareness of these problems. Education is good. On the other side, the database was hacked, which has virtually nothing to do with end-user behavior and everything to do with a vulnerable corporate network. Savvy consumers will see this transference for the red herring it appears to be. Phishing wouldn’t be a problem if the criminals hadn’t gained access to the e-mail addresses to phish in the first place. Still, companies continue to tell consumers what they need to do to protect themselves because, as Joan says, consumers don’t push back on this point. “We seem to be at a point in society where people expect that risk to be passed on. They will probably get away with that.” However, that tactic is likely to wear thin as consumers get more disclosure letters.
11) The contextless threat.
One of the hardest challenges of disclosure letters is the lack of context for what the breach means. The mere fact a letter has been sent naturally raises a consumer’s concern; on the other hand, how concerned should I be if the company lost my address? My phone number? My Social Security number? What are the possible outcomes of this lapse? And how likely are they to occur? And if they do occur, what then? These questions are rarely addressed in a disclosure letter because the answers are complex and uncertain. Industrywide, validated metrics about abuse and fraud could go a long way to alleviating some of the uncertainty, but as long as they don’t have to, why would companies disclose the possibility that their gaffe could lead to a poor credit rating or distress over being unable to secure financing if they weren’t compelled to by regulation?
THIS CONUNDRUM has become the bane of the disclosure business. Disclosure letters have the power to create as many questions as they answer, or more. That’s precisely what’s happened as laws bring ever more breaches to the surface. As of November of last year, the Privacy Rights Clearinghouse had documented nearly 170 million personal records reported compromised. That number is expected to grow quickly. Thousands more disclosure letters are coming.
Regrettably.