How do you tell someone you\u2019ve lost something important of his? That\u2019s hard enough. Now how do you tell a million people?As data breach disclosure laws proliferate--38 states have mandated disclosure, and federal legislation is wending its way through Congress--a flood of data breach disclosure letters follows. How those letters are constructed and what they say can tell us a lotabout both massive failures of data protection and how companies areapproaching the information security problem.(Actually, 39 states have mandated disclosure, if you count a law in Oklahoma that applies only to state agency data. For more details, see our interactive map that\u2019s part of this series.) Disclosure letters are not easy. They require verbal contortionists who must twist words unnaturally and move sentences in awkward, sometimes contradictory directions. Be honest but not to a fault. Provide details but don\u2019t share too many details. Explain what happened but don\u2019t be too technical. Make a form letter empathetic. Raise alarms but express control over the situation. Be responsible without being accountable. Be compassionate but don\u2019t say you\u2019re sorry.When Monster.com was hacked and personal records of 1.3 million job seekers were exposed, the company faced this very problem. Monster was compelled by law to inform its customers of the incident, and then went on to send a letter to all of its customers. And so did US AJOBS, a federal employment organization that relied on Monster.com databases for its job listings.Same breach. Starkly different letters.We\u2019ve put these two letters side by side to show different approaches to the same problem. We then asked two public relations professionals who have taken part in writing disclosure letters (both requested anonymity--we\u2019ll call them Jane and Joan) to scrutinize these two disclosures. Both empathized with Monster\u2019s and US AJOBS\u2019 difficult task. \u201cSo many people in the organization get their fingerprints on them,\u201d says Jane. \u201cThese letters are just difficult to do well.\u201dBut both looked at line-by-line sentence decisions and the overall spirit of the letters. They had telling insights into word choice, verb tense choice, even how to address and sign them. Their critique is unflinching. \u201cMost of these letters are hard to get through,\u201d says Joan. \u201cBy the time you\u2019re done, you don\u2019t know what to make of them.\u201d The constructive criticism is helpful to anyone who must prepare for the eventuality of a data breach disclosure. Thousands of companies have gone through the process of writing disclosure letters now, and thousands more will in the coming years. They have to write them well. The Ponemon Institute\u2019s national survey on data breach notification shows that consumers tend to blame organizations for failure even if they\u2019re not negatively affected. Read on to learn more about the dos and don\u2019ts of data breach disclosure letters.The Letters(We\u2019ve provided a small version of the two annotated disclosure letters below. For a larger version, view them in this PDF.)The Observations1) Dear Anonymous Faceless Customer.Both Jane and Joan question the use of the \u201cdear\u201d salutation for a mass mailing. \u201cIt\u2019s awkward,\u201d says Jane. \u201cIt\u2019s so clearly a mass mailing.\u201d She says it\u2019s essentially an urgent memo to many people, some of whom you don\u2019t know, so treat it that way. A better introduction could be \u201cTo Our Customers\u201d or \u201cAn Important Message for Our Customers.\u201d2) A soft opening.Right away, styles diverge. Monster chooses to soften the coming blow with its first sentence. US AJOBS simply begins stating facts. Jane sees benefits and drawbacks to each. \u201cThe first line is the toughest of all,\u201d she says. You want to show that you value customers, but at the same time, the sentence feels roundabout, like hollow marketing spin. On the other hand, US AJOBS\u2019 letter may seem less spun, but it also gets into technical detail right away and could feel like a punch in the jaw, which is offputting. US AJOBS also has the advantage of being able to blame the problem on another brand. If it were their databases, the letter might have started differently.3) The problem with saying \u201csorry.\u201d\u201cSorry is personal,\u201d says Joan. \u201cPlus, it means you did something wrong.\u201d Regret, on the other hand, sounds somewhat sincere but removes fallibility. Few disclosure letters ever\u00a0 use the word sorry. Both agree this is a legal ploy. \u201cYou\u2019re trying to prevent these letters from becoming Exhibit A in a class-action lawsuit,\u201d says Jane. But Jane also understands the use of regret over sorry. \u201cSorry is not a professional word,\u201d she notes. Also, Jane says, companies could avoid turgid language and running around the issue by explicitly saying why the letter is being written. \u201cI\u2019d really prefer to be able to write, \u2018We\u2019re compelled to tell you this by government regulation.\u2019 It\u2019s direct and true. But the lawyers and the marketing people probably wouldn\u2019t let a PR person like me get away with that.\u201d4) We\u2019re a victim, too ... In the Monster letter, \u201cthe second paragraph is tough,\u201d says Jane. \u201cThis is where you absolutely have to say what it is and how the reader is impacted.\u201d Instead, says Jane, this paragraph paints Monster as the victim, the \u201ctarget of malicious activity that involved the illegal downloading of information such as\u2026\u201d This is a passive, wordy way of saying, \u201cWe got hacked.\u201d What\u2019s more, the second part of the paragraph flips from passive to active, and tries to make Monster appear in control with verbs like \u201cresponded \u2026 notified \u2026 and shut down.\u201d A close read, however, shows the active verbs are just dressing up vague statements. The response was a \u201ccomprehensive review\u201d of procedures--auditing the fire response procedures while a fire is blazing. Also, Monster says \u201cshut down the rogue server,\u201d but it is highly unlikely this is Monster\u2019s doing alone unless the server was an internal one (which we\u2019re not told). More likely, Monster cooperated with ISPs and law enforcement to get that done. Joan is plain about her feelings on this paragraph: \u201cThey\u2019re hedging. They\u2019re trying to get credit while being obtuse.\u201d Both say be clear and direct.5) ... And it\u2019s not just us. Monster\u2019s letter constantly, almost pathologically reminds the reader that other companies have experienced similar failures. Before we even find out the breach, we learn that \u201copportunistic criminals\u201d are \u201cincreasingly using the Internet\u201d for crime. Then, when describing the possibility that this breach fronts a phishing scheme, a sentence is tacked on, noting, \u201cThis has been the case in similar attacks on other websites.\u201d Later we learn how to protect ourselves against those who attacked Monster \u201cas well as other databases.\u201d Jane and Joan are not impressed. \u201cThey\u2019re doing everything they can to make the problem bigger than them,\u201d says Jane, thus suggesting its occurrence was out of their control. Jane says she understands the impulse to put the attack in context of the bigger problem, but it probably doesn\u2019t help here, and makes the company appear defensive. Joan worries that this tactic will soon wear thin. For example, in another case, the TJX Companies argued after its systems were breached that its security was similar to data breaches other companies\u2019 and standard industry practice. As time goes on, consumers will grow weary of the \u201ceveryone\u2019s doing it\u201d and \u201cit\u2019s out of our control\u201d defenses. 6) Detail versus good detail.US AJOBS\u2019 exposition of facts is clearer. For example, US AJOBS states clearly that no Social Security numbers were compromised because of safeguards the organization had in place. Monster\u2019s letter doesn\u2019t mention SSN s, begging questions: Were Social Security numbers affected? Did Monster not have the same safeguards? Even stronger, US AJOBS starts its explanatory paragraph with a smart, easy-to-understand detail: A legitimate account at a private company was compromised to gain access. Monster never mentions this. The more specific and clear the detail, the better. Vague detail about \u201cmalicious activity that involved the illegal downloading\u201d only confuses and creates an air of obfuscation.7) Lots of fingerprints.How many people end up reviewing, adding to, altering or otherwise getting their fingerprints all over a disclosure letter? Try dozens, says Jane. She tried to recall all of the stakeholders who reviewed letters she had written: \u201cCommunications, marketing, IT, information security subject matter experts, legal, the CIO, the head of customer service, the CEO (of course), and then his personal writer, and sometimes the board.\u201d8) Sincerely, The Company.Jane objects to the use of The Company in the Monster letter, especially in conjunction with other elements. Combine that with the Dear salutation at the top, \u201cyou\u2019re a valued customer\u201d language and the CEO \u2019s signature at the bottom, and she says, \u201cWe\u2019re getting mixed messages here.\u201d In other words, it tries to be a letter from the CEO , a mass-mailed memo and a legal document all at the same time. The Company is especially problematic, as it creates a sense the company has lawyered this thing up. That may be the case, but to consumers, it undermines the personal messages about valuing the customer and creates the notion the company cares mostly about covering its butt.9) Bold statements.Both letters include bolded text. US AJOBS\u2019\u00a0 bolded text seems smart: It includes specific and forceful language that the company will \u201cNEVE R\u201d request personal information from an unsolicited e-mail. But the placement of the bold text threatens to draw eyes right past all of the excellent factual information above it. It is further muddied by a confusing parenthetical trying to back into a definition of unsolicited e-mail. Monster, on the other hand, ends with a bold statement that simply invites the reader to learn more and links to a comprehensive explanation of phishing and other online fraud. In this material, separate from the letter, Monster also notes it will never ask for personal information via unsolicited e-mail. Both tactics have advantages. US AJOBS is being clear but brief in the letter, which may cause people to ignore other, unbolded information. Monster is being clear but comprehensive with attached documentation that may be ignored as too much information.10) Transferred risk. Another common theme of disclosure letters is to remind users that it\u2019s their fault, too. For, the argument goes, if they surfed more responsibly and didn\u2019t fall for schemes, this would be less of a problem. This is risk transference. Make the customer protect the data, too, and that way the customer who fails to do so is also at fault for the loss. Monster does not say in what ways, besides a comprehensive audit, it is improving its security. The company vaguely mentions it has \u201claunched a series of initiatives\u201d but never mentions one of them. Jane and Joan don\u2019t like this but understand the information may be too technical or sensitive to release. Customers are given a website to \u201ceducate you about online fraud\u201d and the company \u201cinvite[s] you to keep reading to learn more about how to use the Internet safely.\u201d US AJOBS is terser, but to similar ends. \u201cWe ask you to remain alert for counterfeit phishing\u2026\u201d and \u201cPlease also be on the alert for fraudulent e-mail\u2026\u201d On the one side, it never hurts to raise awareness of these problems. Education is good. On the other side, the database was hacked, which has virtually nothing to do with end-user behavior and everything to do with a vulnerable corporate network. Savvy consumers will see this transference for the red herring it appears to be. Phishing wouldn\u2019t be a problem if the criminals hadn\u2019t gained access to the e-mail addresses to phish in the first place. Still, companies continue to tell consumers what they need to do to protect themselves because, as Joan says, consumers don\u2019t push back on this point. \u201cWe seem to be at a point in society where people expect that risk to be passed on. They will probably get away with that.\u201d However, that tactic is likely to wear thin as consumers get more disclosure letters.11) The contextless threat. One of the hardest challenges of disclosure letters is the lack of context for what the breach means. The mere fact a letter has been sent naturally raises a consumer\u2019s concern; on the other hand, how concerned should I be if the company lost my address? My phone number? My Social Security number? What are the possible outcomes of this lapse? And how likely are they to occur? And if they do occur, what then? These questions are rarely addressed in a disclosure letter because the answers are complex and uncertain. Industrywide, validated metrics about abuse and fraud could go a long way to alleviating some of the uncertainty, but as long as they don\u2019t have to, why would companies disclose the possibility that their gaffe could lead to a poor credit rating or distress over being unable to secure financing if they weren\u2019t compelled to by regulation?THIS CONUNDRUM has become the bane of the disclosure business. Disclosure letters have the power to create as many questions as they answer, or more. That\u2019s precisely what\u2019s happened as laws bring ever more breaches to the surface. As of November of last year, the Privacy Rights Clearinghouse had documented nearly 170 million personal records reported compromised. That number is expected to grow quickly. Thousands more disclosure letters are coming.Regrettably.