How to Tell Me You Let Somebody Steal My Personal Information

By  |  Friday, April 29, 2011 at 3:53 pm

I’ve been getting a lot of urgent messages from major companies I do business with lately. Urgent messages telling me that information I gave them has been stolen by unknown parties.

Yup, I’m not only a PlayStation Network member–and therefore a victim of the current Sony security breach–but also a customer of at least three companies (Marriott, TiVo, and 1-800-Flowers) who were involved in the recent data theft from marketing company Epsilon. I wrote about this for my new TIME.com Technologizer column, But after reading all this correspondence, I have some advice for the corporate entities who send these e-mails. (I care about this stuff in part because I have the uneasy feeling I’m going to be getting a lot more of these messages in the future.)

1. Put it in the subject line. No, the subject line doesn’t need to be “YOUR DATA WAS STOOOOOLEN!!!!!!” But something like “Important Information for 1800Flowers.com Email Customers” is too vague, especially since I’m used to big companies claiming that everything they want to tell me is important. (And what the heck is an “email customer,” anyhow?)

2. Tell me what leaked, what may have leaked, and what didn’t leak. Sony, TiVo, and 1-800-Flowers were all pretty clear about what information was at risk. Marriott’s message, however, was vague about what was stolen–in this case, my name and e-mail address–which could leave me jumping to unwarranted conclusions.

3. Be calm, but not dismissive. Marriott’s e-mail about the Epsilon breach told me “In all likelihood, this will not impact you.” That may be true, but it contacted me because there’s a chance that it might impact me. I don’t want companies to fearmonger, but they should address worst-case scenarios.

4. Tell me how to contact you. You’re the guys who I trusted with my info; if I still have questions after reading your e-mail, I should be able to ask them. Of you, not of some third-party consumer agency. (Credit where credit is due: Sony ended its PlayStation e-mail with a phone number to call.)

5. Don’t tell me you take my privacy seriously or remind me how valued I am. I’m sure you do. I’m sure I am. This isn’t the right time to tell me, though.

6. Apologize. I know that it’s not your fault there are cybercriminals and other nogoodniks out there. I understand that some third-party company may have suffered the breach. But you’re the ones I gave my information to. Something bad happened. You’re the one I expect an apology from.

7. Sign your letter. I mean with the name of a human being with a title–somebody’s willing to take responsibility for this, right? Of the companies I’ve recently heard from, only 1-800-FLOWERS did this.

(This post republished from Techland.)

 
2 Comments


Read more: , , , ,

2 Comments For This Post

  1. Steven Fisher Says:

    This would have been a more interesting story with the text of the other emails included. (Anonymized if necessary.)

  2. Ameli@EthicalHacking Says:

    Most companies that were victimized by online hacks and other forms of attacks don't immediately divulge information to their customers, especially if the one attacked is a financial institution. Take for instance the case of Bank of America.

    Last year, BoA was attacked. The result? More than 300 customer accounts were hacked. The breach has only recently been made public. According to some reports, over $10 million were stolen from customer accounts.

    BoA only disclosed the said incident after more than 300 days.

Comment on This Story