Part of any organization’s security and governance plan needs to be what to do when you have a data breach. Notice I said When and not If. With everyone from a kid with a laptop to sophisticated criminal hackers attacking systems, you are bound to be on the list. Even if you are lucky not to be a victim, as British Petroleum can tell you, it’s better to be prepared.
If I am your customer, the first thing I want to know is what happened. Next is what are you doing to fix it and any problems that it caused me, and will it happen again. Part of that should be an apology and some transparency. If not, I may not trust you and will take my business elsewhere.
Here is a great example of what not to do. Recently AT&T exposed personal information from 114,000 Apple iPad users. The carrier has enough trouble with everyone constantly piling on about how bad their service is for iPhones, so they didn’t need more problems. The NY Times got a copy of the email sent to iPad users explaining the problem. The email is very long and after a minute or so my eyes glazed over.
Their response did hit the mark on a few items, but failed miserably at the part that matters. They identified the problem, apologized for it, and said they fixed it. That’s good, but I expect that. Most of the email goes into nauseating detail about the people that perpetrated the crime, “hackers”, and what they did. Here is part of the email sent by AT&T’s Dorothy Attwood:
The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the e-mail address associated with the ICC-ID already populated on the log-in screen.
HUH? As a customer, I don’t care about the gory technical details of what went wrong. I don’t even understand what it means. I’m not a software programmer and my guess is neither are most customers. I just want your assurance that it’s fixed. And oh yeah, how about taking some responsibility for the problem. In simple terms, “We messed up, take full responsibility and are putting measures in place so this doesn’t happen again”. Their response sounds more like two kids standing next to a broken vase saying “No he did it, no she did it.”
I have read a lot of criticism of the way AT&T handled this problem. They seem to be following a long standing tradition of obfuscation and blame shifting. Most states in the US and many countries have breach notification laws that dictate actions to take when a breach is discovered. The laws say that an organization must notify someone whose personal information has been compromised and give them a description of the incident, the date of the breach and what was stolen. Unfortunately there is nothing about how to tell you.
I am not suggesting that we start legislating the words a company uses to inform you of a problem, but I think being open and honest without pointing fingers at others is the place to start. If my teen comes to me and says “Dad, I was running in the house, knocked down and broke a vase, cleaned it up and will pay to replace it. I’m sorry I was running and I won’t do it again.”, I will have a lot of respect for that kid. I think I should expect the same from a corporation.
Of course it’s embarrassing when you have a data breach, but if you respond properly in the short term, I will look upon you favorably in the long term. I will still trust you and that’s the most important thing a business has with its customers.