May 4, 2009

by Michael Starksdoor

Bloggers and writers often lament the challenge of finding new material. When we do write about a topic, it is often a second-hand story, perhaps commenting on the big news of the day. This month is different, thanks to Gexa Energy, an electricity provider based in Houston, Texas.

Last month, my wife received a letter from Gexa Energy informing her that a data breach may have involved her non-public personal information. I guess they weren’t entirely sure. The letter describes how their monitoring systems alerted them to the intrusion on April 30, 2008, the date of the incident. The breach was contained and there is no evidence of any improper use of her information (had her information ever actually been involved). They even caught the person responsible and are prosecuting them, Gexa says.

Did you notice the timeframe between the discovery of the breach and the notification? I didn’t, until I read about it again in a news story. Almost a year passed before they let anyone know. But don’t worry, law enforcement told them not to tell anyone.

The letter went on to list the types of information that might have been accessed, which included the usual suspects: drivers license number, social security number, date of birth and so on. The next underlined sentence emphasized that no credit card numbers or bank account numbers were compromised.

Gexa was even helpful enough to point my wife to some sources for credit monitoring and reports, although these are already free resources. Finally, they created the ironically titled http://www.gexaenergy.com/dataprotection site to help everyone feel better about the whole thing. The letter closed with the usual statement of how they take things real serious-like and how they deeply regret her concern. No one signed the letter.

How a company responds after a breach is a strong indicator of their commitment to protecting your information. In this case, Gexa failed miserably. They:

1. Failed to accept personal responsibility for the breach by not having an executive sign the letter.
2. Failed to conclusively state what information had been accessed, and when.
3. Made no offer to pay for personal credit monitoring.
4. Used emphasis in the letter to minimize their culpability and responsibility.
5. Made the inexcusable and legally questionable decision to wait almost a full year before notifying affected people of the breach.

Breaches happen. In today’s world, that’s a fact. With this breach, Gexa’s response only serves to remind us that honesty is the best policy. Passing the buck and failing to take personal responsibility will only alienate customers who might otherwise have been willing to forgive you.

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.