Like companies in the private sector, federal agencies may eventually be required to notify citizens of an information security breach on a federal computer network that exposes citizens’ personal information, such as Social Security numbers, financial data, addresses and credit card numbers. (The Federal Agency Data Breach Protection Act, introduced by Rep. Tom Davis, R-Va., in May, would establish standards for how an agency informs the public if it loses personal information as does like legislation passed by more than two dozen states.)
As is the case in most comparisons with the private sector, the federal government would likely not do as a good a job in notifying the public, most people would say. But that isn’t the case in one, real-world example. In its December/January issue (not yet posted online), CSO Magazine compares how Monster.com and the USAJOBS, the federal government’s site for job openings, handled the security breach of monster.com’s database of resumes in August. About 146,000 names and contact information of job seekers on the USAJOBS Web site were stolen.
CSO Executive Editor Scott Berinato offers a side-by-side comparison of the notification letters that the organizations sent out to notify customers of the breach. (He describes such notification letters as requiring “verbal contortionists who must twist words unnaturally and move sentences in awkward, sometimes contradictory directions.â€)
The upshot: USAJOBS did a relatively better job in its letter than Monster.com did, according to the two anonymous public relations executives CSO asked to critique the letters. Here’s a synopsis of CSO’s critique:
-- While neither organization should have started out their letters using the “dear†salutation (the personal touch doesn’t match the urgent tone of the notice), USAJOBS executives wrote a better letter by stating the facts immediately and clearly versus Monster’s “hollow marketing spin†opening. (“We value the trust you place in Monster,†the company’s CEO wrote.)
-- USAJOBS avoids saying sorry and uses the more legally safe word “regrettably.†Monster tells readers that they, too, are a victim in this crime (a no-no) and that many other companies have experienced security breaches as well (another non-no). USAJOBS dos not offer similar excuses.
-- Monster violated the rule more than USAJOBS in urging customers to learn more about online fraud. (That makes it sound like customers/citizens are partly to blame for the breach, which is an implication you don’t want to make.)
-- Both organizations failed in putting the breach into fuller context of what the breach could mean to the customer.
Maybe one reason for why Monster’s letter was less effective than USAJOBS’ letter is the fact that Monster’s letter had more of a lawyer’s influence. The federal government may be less afraid of being hauled into court over a security breach.
NEXT STORY: Web Headlines