Why otherwise adequate breach response plans may fail
One of the recurring themes by commenters on this blog is that they got a breach notification that offered them free credit monitoring services, but:
1. They can’t access the site they’re directed to;
2. They are alarmed that the site asks them for their personal information; and/or
3. They have no reason to trust that site or company because there’s nothing on the site that inspires that trust or confidence.
By now, I’d have hoped businesses would have addressed this in their planning and notification letters, but that doesn’t appear to have happened. So in the interest of getting the word out to law firms that help their clients write breach notification letters or entities who are otherwise involved in breach responses:
Try to see this process through the letter recipient’s eyes. Assume they have never heard of the credit monitoring service or company you have made arrangements with and tell the recipients why they should trust them.
Tell them that they will be required to provide that company with personal information such as date of birth and Social Security number – and explain that it really is necessary, and why.
Explain that you are not being lazy and would love to do this for them, but you cannot sign people up for the free service because [insert explanation here].
Ensure that the firm you have contracted with can handle the load on their site and server so that it doesn’t crash repeatedly and frustrate your customers or employees even more.
Ensure that the firm you have contracted with has a web site that explains who the firm is and their background in providing credit monitoring services. Is their contact information prominently posted so that nervous customers can call them easily? Even if it is, do include their phone number in your notification letter for inquiries.
Gee, I would have thought much of the above should be pretty obvious, but apparently it needs to be said – and repeated – until everyone gets the message.