Monday, February 13, 2006

What is the objective?

I promised an analysis of the Boston Globe's notification letter, stemming from the January 30 disclosure of subscriber credit card and bank routing data.

In general the letter, dated February 2, seems to cover all the bases, but there is one critical element missing from the letter (I'll transcribe the text in a separate post): addressing the concerns of the subscriber.

The letter begins with a synopsis of the situation, offers a brief explanation of the Globe's actions following discovery of the breach, then moves on to tell the recipient what he/she should do to protect themselves. There is a second page addendum entitled "Steps to take to protect your credit and identity."

Here is the problem I have with the letter:

The Globe is the party responsible for the breach, yet the emphasis of the letter is to place a burden on the affected subscriber. Apart from a closing paragraph that offers "our sincerest apologies for any inconvenience or concern that this incident may have caused you," there is no hint of regret on the Globe's part, or any attempt to address the most basic of questions most people would have upon learning of the breach. In fact, the weak mea culpa is followed by the line "Your business is very important to us." Not your safety or your financial well-being, but your business.

Speaking with my mother-in-law, she had many questions related to identity theft and credit fraud raised by the incident. Her questions, I imagine, were shared by the more than 200,000 subscribers who also received the letter. The Globe missed an opportunity to demonstrate true concern for these people.

Was the disclosed information sufficient for an individual to make fraudulent purchases? Was enough information disclosed to allow someone to create new credit accounts? What are the chances of credit fraud/identity theft happening to me as a result of this incident? Precisely what information was and was not disclosed? How did the incident happen and what steps is the Globe taking to ensure it does not happen again?

Recommendation: When a data breach occurs and people are affected, there is a loss of trust that takes place. The Ponemon Institute's recent 2006 Privacy Trust Study for Retail Banking shows that a single breach can result in 34 percent of a bank's customers losing faith in the bank's ability to protect personal information. It's not a far leap to conclude a similar loss of trust would be suffered by other businesses. Therefore, communications following an incident should do their best to offer sincere apologies, anticipate and answer questions, and demonstrate to the customer that decisive steps are being taken to safeguard their interests and ensure similar incidents do not take place again. Information to help the affected should be offered as a service, not positioned as the vendor's way of unloading responsibility.

And, of course, a plan should be in place to deal with such incidents before they happen. An audit should be undertaken to identify data management practices and policies, as well as the technologies deployed to protect data and enforce policy. And training and awareness programs developed and delivered to ensure a top-to-bottom understanding of each person's responsibility as part of the chain of data protection.


Post a Comment

Links to this post:

Create a Link

<< Home