What Exactly Is The Point?
For the record, please allow to me to introduce this concept to those that are not familiar with it: Breach notification letters are completely different from press releases about an incident. Therefore, each needs to be crafted differently.
Breach notifications are intended to alert an individual that their personal information is now in the hands of an unauthorized individual. These notifications tend to follow a similar format: Greet the individual. Introduce the problem. Explain the issues/data lost. Apologize for the event. Offer/Don’t offer credit monitoring for one year. Include phone numbers/web sites/e-mail address with more information. Apologize again. Wash. Rise. Repeat.
Press releases are a different beast and are a way for an organization to give input to the news reports about the incident. Breach press releases generally tend to go into greater detail then a notification. Explaining what happened, with or without quotes from the organization. Information on completed or ongoing investigations are included. The obligatory high level apology is included as well as a promise that “changes are being taken to prevent such an event in the future”.
However, some organizations intermix these two formulas with mixed results. Adding breach notification information, such where to get more information, with press releases? It can work. Adding press release information to breach notifications? This is where I have a problem.
Why? Generally, most organizations want to include the “we are making changes to prevent breaches in the future” tag line to breach notifications. For example, it seems that Duke university’s physics department took this approach in letter to students over a recent incident. (Note: Duke is not alone in this and is only included as a recent example.) My question to anyone that agrees with this approach is this: What exactly is the point?
How does it help me to learn that the organization taking steps to protect against future breaches? My data has already been lost. It is out there regardless of whether or not a future breach occurs. Not to be self-centered but upon first learning that my personal information has been lost, the furthest thing from my mind is the protection of other individuals in the future. So please, please, please stop including this information in the breach notification, I just don’t care. Oh, and as I’ve talked about in the past, don’t tell me there is no evidence of misuse three days after the breach.
I agree that it is a good step for organizations to talk about the changes being made to prevent future breaches. After all, its shows that the breach is a learning opportunity for the organization. Just keep it out of the breach notification, OK?
Leave a comment