In the example about the Five Stages of Data Breach Grief, Troy Hunt put a link to a good example of a public apology by the Australian Red Cross after a data breach they had last year. Watching the AU Red Cross apology made me wonder what makes a good public apology, so I wanted to note what I found here. It turns out there is a lovely site devoted to this called Perfect Apology that covers what looks like all aspects of apologies, both personal and for business. They have a comprehensive and surprisingly entertaining analysis of a Jet Blue apology (Jet Blue has issued many) that can be found here. The salient points that can be applied to a data breach seem to be:
- Humility and Remorse
You have to show that you care about your customers, because if don’t care about them they won’t care about you.
- Provide Specific Detail Showing You Understand The Problem(s)
Give sufficient detail that shows you understand the problem(s) without giving away any unfixed vulnerabilities. Don’t go down the rabbit hole of citing record numbers (unless that information is already publicly available), or getting deep into geek. This is an apology, not a breach analysis. A brief statement that outlines the problem(s) that shows that you fully understand the problems and their implications is all that is needed here. Here is also where you can address rumors. Rumors will always be out there, so you won’t be able to quash them all, but addressing the most damaging ones (without sounding whiney) can help. Don’t get exhaustive with this.
- Take Full Responsibility
If it was all you then say it was all you. Don’t blame the weather, as you could have seen it coming, and don’t point the finger of blame at those filthy Bad Actors, you knew they were out there. If you farmed out some work and that work was compromised, it is still your fault for not A) Vetting the vendor, B) Reviewing their security practices, and C) Keeping close enough tabs on the work. The customer did not entrust their data to your sub-contractor, they entrusted it to you and you failed to ensure that their trust was warranted. If you think you are fuzzy about the legalities of where responsibility lies then take a look at the GDPR Attack Plan that Troy Hunt (yes him again) did for Varonis. While the General Data Protection Regulation is a European legal framework, it may still apply to your company if you do business with European customers. The GDPR, or something like it, will probably be adopted in some form in the U.S. in future, this being the land of the Something-Something Bill of Rights. So while the legal responsibility in the U.S. isn’t here yet, the mindset of personal data ownership and corporate stewardship is already on its way. Legalities aside, if you collected the data you are ethically responsible for its safekeeping, no matter who “owns” it.
- Recognize Company Role
State how and where you fell down and went boom. If you left a backup of a database unprotected on a publicly addressable server then say so. If you forgot to patch a server then say so. If you farmed out a job then state that your supervision was lacking (even if the sub-contractor lied to you). You don’t have to go into detail and say that you thought about checking the firewall rules but got busy because everyone took vacation at the same time. You can simply stop at saying “We forgot to check the firewall rules”. If you want to get all business-y speak-y you can state it as “neglecting to complete steps in our security processes”, or some such.
- Acknowledge Hurt and Damage Caused
Stating that you feel their pain shows that you truly understand the consequences of your inactions and how it affects your customers. I know that you cannot foresee all of the specific ways that harm and damage will be caused, so you will be walking a fine line here when you make your descriptions. If you leave this part out then you leave your customers feeling that you still don’t get it.
- Detail Commitment to Change and Taking Corrective Measures
Make sure that you say how you will fix this so that it does not happen again.
- Offer Restitution and Compensation
This doesn’t have to be money. It can be simply be a statement of re-commitment, but coupons or something of monetary value can help.
- Make it Come From the Top
The best person is the leader of the organization. The CEO, or President are best. I would only be happy with it coming from as low as the VP in charge of the division, if the organization is very large, otherwise I want to hear it from the top.
- Express Regret and Hope For A Continued Relationship
Last is what is basically another ‘sorry’ and then a plea to not leave. Pour on the love and ask for their permission to try again and make this right. Invite customers to dialogue with you. Involve your clients, industry experts, analysts, media people and general public to the broader discussion about the source of the problem.
It can be a bit more corporate-y, like the template given here, but the Jet Blue example is more comprehensive and connects more with the customer because it includes all of the above parts. If you can possibly put up a video of this entire statement being read by the highest person in the organization that you can, then all the better.