Opinion: After a privacy breach, how should you break the news?
Computerworld - July 5, 2005
recent data debacles at ChoicePoint, LexisNexis, Bank of America and other places, more and more people are receiving the dreaded news that their personal information is at risk because of a privacy breach. Based on a recent study conducted by Ponemon Institute, we can provide some insight on what customers' expectations are when they receive notification. For the past three years, our institute has focused on consumers' perceptions of the trustworthiness of organizations they regularly interact with. And we believe it is a major threat to the goodwill and trust an organization has established with its customers, employees and contractors if it can't allay the fears of those victimized by a data breach.
The Chapell View
My friend Larry Ponemon provides some great insight. It's often been said that a person (or in this case an organization) demonstrates their true character NOT when things are going well, but in how they react when there's a problem.
I think you're going to start to see PR professional incorporate privacy strategies and best practices into corporate disaster communication programs, much in the same way that we've started to see marketing professional incorporate privacy principles into their outreach programs.
A few takeaways:
recent data debacles at ChoicePoint, LexisNexis, Bank of America and other places, more and more people are receiving the dreaded news that their personal information is at risk because of a privacy breach. Based on a recent study conducted by Ponemon Institute, we can provide some insight on what customers' expectations are when they receive notification. For the past three years, our institute has focused on consumers' perceptions of the trustworthiness of organizations they regularly interact with. And we believe it is a major threat to the goodwill and trust an organization has established with its customers, employees and contractors if it can't allay the fears of those victimized by a data breach.
The Chapell View
My friend Larry Ponemon provides some great insight. It's often been said that a person (or in this case an organization) demonstrates their true character NOT when things are going well, but in how they react when there's a problem.
I think you're going to start to see PR professional incorporate privacy strategies and best practices into corporate disaster communication programs, much in the same way that we've started to see marketing professional incorporate privacy principles into their outreach programs.
A few takeaways:
- Tell the Truth, no matter how painful - Almost 86% of respondent's to Ponemon's survey indicated that they'd take their business across the street if they felt that a company was not being honest in their explanation of the breach.
- Provide real assistance to the true victims of the breach - There needs to be a greater recognition that companies that store sensitive customer information have a responsibility to safeguard that personal information. And when they fail to adequately safeguard that information, the company absolutely MUST take a proactive role in assisting those impacted by the data breach. While I recognize that some companies have done better than others in this area, I am very concerned when I see PR communications which attempt to position the affected company as one of the "victims" of the breach. The organization is not the victim, the customers of that organization are collectively the victims. These are the people who are saddled with the responsibility of monitoring their credit reports for the next several years. (Although some companies have begun to provide credit monitoring for affected customers, they typically do so for only six months.) These are the people who may be turned down for jobs based upon corrupted credit report data as a result of a breach. And these are often the people who lack the financial or educational sophistication to adequately protect themselves from the risk of ID theft as a result of one of these breaches. In many instances these people never asked your company to store their sensitive data. So when you outwardly state or imply that your company was also a victim, you strain credulity.