It's Not The Size Of The Data Breach That Matters: All Of Your Customers Are Affected - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure // PC & Servers
Commentary
1/6/2006
03:03 PM
Commentary
Commentary
Commentary
50%
50%

It's Not The Size Of The Data Breach That Matters: All Of Your Customers Are Affected

The oft-forgotten element of the endless procession of consumer data breaches is how companies manage the aftermath. It's an undertaking that can be summed by two words: Damage control. And one company that found itself on the wrong end of a breach last month--Marriott Corp.--is only getting half of the effort right.

The oft-forgotten element of the endless procession of consumer data breaches is how companies manage the aftermath. It's an undertaking that can be summed by two words: Damage control. And one company that found itself on the wrong end of a breach last month--Marriott Corp.--is only getting half of the effort right.In the case of customers whose data is known to have been compromised, the choices are relatively simple. The companies in question have to do everything in their power to communicate with those customers, keeping them in the loop about efforts to plug the wholes and find the data, and helping them deal with the consequences. Where things are a bit more complicated is with customers whose data appear to have been unaffected.

Marriott's timeshare unit--which lost backup tapes containing customer records late last month--has handled the first group adequately by doing things such as offering free credit-monitoring services for a year. But when it comes to the second group, Marriott is providing exhibit A of how not to put that segment at ease.

InformationWeek's cover story on this topic last week, "Sad State of Data Security," included some input from a Marriott Vacation Club International customer, Vic Christensen, owner of a Marriott timeshare unit, who said he'd have a hard time trusting the company again, even if it proclaimed his data safe. The fact that the company had said on its Web site that only customers directly impacted by the loss of the tapes would be extended a year's worth of free credit monitoring services only braced Christensen to be doubly disappointed.

Lo and behold, he got an email from Marriott over the New Year weekend, affirming that his name, Social Security number and credit card information were not on the lost tapes, and that he'd be receiving an "unaffected owner" letter to that affect shortly. In other words, as far as Marriott was concerned, there was no reason for Christensen--and thousands of other "unaffected" customers--to give the matter another thought.

The problem is, Christensen is most definitely giving it another thought (and so are a lot of other customers, no doubt). In a subsequent E-mail echange I had with him, Christensen made it clear that Marriott's declaration that his data was safe didn't make him feel any better. "My first two thoughts after reading this were, 'Yeah, right' and, 'And I should believe you because...?'" he wrote. "Maybe they're hoping people will just take their word for it and not cause any trouble."

That's certainly how it appears. And even if Marriott really does know definitively whose data was or wasn't on the tapes, and is right that a lot of "unaffected" customers won't cause any trouble, it's still the wrong approach.

I don't mean to be picking on Marriott. Certainly they're not the first company to handle a data breach in this manner, and they won't be the last. But Christensen's response speaks volumes about why companies that are compromised should reach out to all of their customers. It doesn't matter who's data is safe after the fact. What matters is that customer confidence is eroded, and that's what a company in Marriott's situation should be trying to repair above all else.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
News
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Commentary
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll