By Adam Dodge
I would like to issue this public statement to any company that already has or will in the future expose my personal information:
â€œStop telling me there is no evidence of Identity Theft if it has only been one hour, day, or week since your organization suffered a breach!â€
It is ridiculous that any organization would think that individuals would find comfort in announcing this fact. Of course there has been no evidence of ID Theft. Affected individuals had no reason to check for ID Theft before the incident. Simple, rational logic tells all of us that we will never find what we do not know to look for.
In addition, the danger of ID Theft persists for affected individuals long after the initial breach. Once records are exposed, there is no way possible to control the use of these records by the individual(s) that obtained them. Couple this with the fact that much of the personal information tied to ID Theft is information that does not change during the lifetime of an individual and the real danger of such exposures becomes evident. After all, there is very little value in telling anyone that there is no evidence of Social Security number misuse after only a short period of time when that same individual will most likely have that same SSN the rest of their life.
If companies really want to reach out to users and make amends after a breach, here are a few suggestions:
Admit responsibility for the incident and offer to pay for credit monitoring
When an information security incident occurs and customer information is exposed, the company is no longer the victim of this crime, the customers are. While this may not seem fair to the company, tough. Customers trust companies with their personal information in return for a service. When this same information is exposed to unauthorized individuals, companies invalidate this trust. Offering credit monitoring is a way for a company to help rebuild trust with customers. The good news here is that studies have shown only a small number of affected individuals ever take companies up on the offer of free credit monitoring so credit monitoring also becomes an inexpensive way to gain positive PR after a breach.
Do not use an employee as a straw man for why the breach occurred
It is somewhat disturbing when a company or organization is willing to throw an employee to the wolves as the sole individual responsible for a security breach. Not only does this show that the company places little value on its employees but also as a consumer, I simply do not buy this excuse. When a company places blame on employee â€œmisconductâ€ the first thought that I have is not â€œWow, what a bad employee.â€ Instead, my first thought is â€œWow, I cannot believe that Company ABC has no internal controls that would have caught this employee misconduct before the breach.â€ After all, if the employee was truly acting against company policy, there is no reason to think that the company would not have caught this through internal control procedures.
Wait at least one month before telling customers there is no evidence of misuse
If companies truly wish to inform customers that there is no evidence of identity theft or misuse of customer information, wait at least one month after announcing the breach. While immediate proclamations of â€œNo Identity Theftâ€ send my rage-o-meter flying, I have no problem with such announcement per se. By waiting, watching and continually following-up with affected customers, a company prove that it has a commitment to its customers and, when coupled with free credit monitoring, a commitment to helping its customers deal with the effects of the breach. In other words, there is great value in following up with customers to ensure no identity information is being misused as long as companies wait for customers to check for signs of misuse first.