Got a letter last week that I received with mixed emotions. It was a breach notice letter from the
Carlson Companies, an organization I do business with regularly.
I say "mixed emotions" because, while such letters are never good news, the arrival of one is not shocking. I'll even go so far as to say that receipt of a breach notice letter should be an expected event for most people.
I debated writing about this particular letter because of my ongoing business relationship with the company, but eventually decided to go ahead. Two reasons that made my decision were the fact that I don't think it's right for me to blog about one breach that affects me, but not discuss another. If I'm going to be fair, I need to discuss any and all breaches in which I have a stake.
The other reason was because, after a detailed reading, I think Carlson's response to their data loss incident is excellent, and can serve as a model for other organizations facing similar circumstances.
There's an ironic twist to this particular letter. My association with Carlson is through their
Peppers & Rogers marketing division which, in partnership with the International
Association of Privacy Professionals, publishes the
1to1: Privacy newsletter. I am a regular contributor to that newsletter.
In brief, the letter informs me that "an employee on a field assignment had a laptop stolen from a locked rental car." A common occurrence. I'll reference an August 15
Vontu-sponsored study by the
Ponemon Institute (with whom I work) in which it was found that 81 percent of companies have experienced the loss of a laptop computer in the last twelve months. My personal information, including name and Social Security number, were on that laptop.
I'll summarize what I like about the way Carlson handled this incident:
The letter is brief. All the information I need to know is presented on one page.
The letter is to the point. There's no unnecessary talking around issues.
The letter doesn't induce panic. The letter deals with facts, not fear, and presents the situation in such a way that I have a realistic understanding of my situation.
The letter takes responsibility. Carlson doesn't attempt to dodge here, and they provide me with information to take advantage of a 12 month credit monitoring service, at their expense, that includes daily monitoring and alerts, $25,000 ID Theft insurance, and more.
The letter arms me with useful information. Carlson offers advice and points me to resources that I should be aware of knowing that my PII has been put at risk.
Finally, when I read the Carlson notice letter, I'm not overwhelmed with a style of writing that tells me it was written by a team of lawyers. The letter is written in a professional and easy-to-understand voice.
I'm sure Carlson would have rather not found themselves in a situation requiring that they send such a letter, but unlike other notices I've seen and received, their reaction stands out.