Who Got Hurt?

A friend of mine is a writer with a major national publication. We keep in regular contact, and every so often I’ll try to interest him in a story. He’s an excellent scribe and has specific criteria for following up on the leads I give him. One question he often asks is, “Who got hurt?”

That question came up a while ago when we were on the topic of privacy protection. It’s a big issue, I argued, and businesses that don’t pay attention to data protection, that fail to gain consumer trust, will suffer. I pointed out research that showed trusted companies turn customers into regular customers, and regular customers into more profitable customers.

“Who got hurt?” he asked.

I continued with my high falutin’ concepts and cited more studies.

“Who got hurt?” he asked again, elaborating to explain that credit fraud is nothing new, but that if I could point to a situation where mismanagement of personal information resulted in someone getting hurt, physically, he’d take a closer look at my idea.

Today I found that story. It’s a sad case from this past weekend in which a fugitive from California managed to elude detection during a background check to gain employment at a car dealership. He then used his position as a car salesman to access customer files and track down a female customer at her home, where he raped her at gunpoint.

There are so many ways to analyze what went wrong here, and no easy answers. I’ll start with the breakdown of a system that could have – should have – identified the perpetrator as a fugitive. What happened next would be pure speculation, and, while credit and personal information in an atmosphere such as an auto dealership may be treated cavalierly, a salesman in that situation must have access to privileged information in order to help the customer complete a transaction. Information – personal information – is essential to doing business these days.

We rely on certain systems to filter out and create distance between us and untrustworthy individuals. We trust that states and businesses follow the rules and do their best to prevent worst case scenarios. It doesn’t always work that way.

Locally, a waiter in a Holden, Mass diner was arrested after skimming patrons’ credit cards and using the information to charge over $100,000 before getting caught. (Sorry…reports are currently only available online via subscription sites.). The thief worked at the establishment only three weeks before quitting, apparently figuring he’d swiped enough info to live richly at the expense of others.

Analysis: People are getting hurt, physically and financially. Consumer trust is being assaulted from all sides. There’s a real need to take action to prevent these sorts of things from happening. The answers aren’t easy, but they are necessary. Open communications with the public about these issues and how you are working to protect them and their trust has to be a part of your communications strategy.

Cut Me Off a Slice of That

This is a little off topic, but it was revealed last week that the Bush Administration spent $1.6 billion (with a B) on public relations over the past two and a half years.

The money was spent on a variety of efforts, from ad buys to paying for consultants to underwriting the writing of conservative commentators. My first thought was "where can I get me some of that?" But this is not the forum for delving into the politics of this spend, and no one wants me to go off on a rant of my personal views, but I did find some of this flackery to be interesting.

In particular, the $250,000 given to Armstrong Williams (as well as other money spent on other columnists) to tout Bush's No Child Left Behind policy, which gets into a growing area of PR/marketing called "Word of Mouth Marketing," or WOMM.

This practice first came to my attention a couple years ago when it was revealed that some firms were paying teen 'net denizens to talk up products within their online peer groups. Researchers had identified influential personalities and paid them money and with free swag to drop mentions of certain products.

Since that time, the ethical considerations of WOMM have been raised. Does enlisting teens and targeting a teen audience violate the Child Online Protection Act (COPA), for example?

I'd be remiss if I didn't point to some of Alan Chapell's thoughts on this subject.

The world of PR is changing. Issues that weren't a concern even a year ago are now emerging as a potential boon to buzz-building, or potentially damaging to credibility. One-on-one communications is becoming more and more important, but how this is carried out can be the difference between success and failure. Bush gets caught paying off supposedly independent voices. His credibility takes a shot. Marketers get caught paying teens to tout their wares. Credibility takes a shot.

It's likely that the strategies and tactics employed to create word-of-mouth buzz will evolve quickly in the coming months. There is no real book of precedent to build upon here, so it will take creative thinking to accumulate a set of new practices, and a lot of trial and error to determine what works.

Recommendations: What a great opportunity to innovate, but while throwing caution to the wind in a brainstorm session is fine, before moving forward with any new strategies, it is incumbent upon decision makers to do their best to follow each to its manifold end result and figure out which contingencies may result in a loss of credibility. Trust in communications is essential, and we do ourselves and our clients no favors when, enamored by a newly minted brainchild, we fail to conisder all possible outcomes.

Happy Anniversary, ChoicePoint

Data privacy changed dramatically on February 15, 2005. That was the day the world learned that data aggregator ChoicePoint sold 150,000 or so consumer dossiers to Nigerian scam artists posing as small businesses.

Because some of those dossiers contained credit profiles of California citizens, provisions of that state’s data protection law, SB 1386, were evoked, requiring ChoicePoint to notify about 35,000 people that they were at risk of credit fraud and identity theft.

That’s when things started getting interesting.

Observers, including journalists and privacy advocates, started pressuring ChoicePoint for more information. If the breach included information for 35,000 Californians, how many files from the other 49 states were included? Why weren’t those individuals being notified?

Initially, ChoicePoint dug its heels in the ground. The company had done no wrong, it said, and was tricked into selling the consumer data. Furthermore, ChoicePoint was cooperating with authorities to help track down the real criminals. But as the volume of protest rose, eventually ChoicePoint relented and sent notices to all those they said had been affected by the incident.

Significantly, ChoicePoint’s actions in the days following the February disclosure established a precedent with major implications. Since that time, organizations whose consumer data has been compromised have been under pressure to disclose such breaches, even when California SB 1386 has not come into play. Many states have either passed or are currently debating law modeled after SB 1386, and Congress is debating a federal law on the issue of consumer data protection. We can agree that much good has come of the ChoicePoint breach.

But this is a blog that examines communications, and it is important to note that, from a public relations standpoint, ChoicePoint did everything wrong related to the breach.

The sale of information to the Nigerians, according to ChoicePoint, happened months earlier. They knew they had a potential crisis on their hands, and they had plenty of time to prepare for any number of crisis contingencies related to the breach. From everything I was able to observe at the time, there was no plan in place. Or, if ChoicePoint did have a plan, it was a lousy one.

ChoicePoint blamed the Nigerians, claiming no responsibility for the lack of a process requiring it to vet the legitimacy of its transactions. Even when it became clear the breach had affected consumers across the country, ChoicePoint clearly didn’t want to take the time and expense to do the right thing and treat everyone equally. It would comply with California law, but everyone else was on their own.

Their attitude immediately following the disclosure was less than contrite. It was downright arrogant, but that arrogance only served to keep the spotlight on ChoicePoint, until the pressure got to be too much. Market reaction also came into play as ChoicePoint stock took a major hit.

Ironically, within a few weeks, and while ChoicePoint was still dealing with their public relations fiasco, Bank of America lost storage tapes containing 1.2 million customer records – including federal employees and members of Congress. BoA’s breach was nearly ten times larger than ChoicePoint's, but BoA moved quickly to take responsibility and initiate notification as well as other steps to help protect consumers. Instead of taking the heat off of ChoicePoint, the BoA breach offered contrast to ChoicePoint’s reaction. BoA’s reputation certainly took a hit, but the damage was minimal. ChoicePoint remained (and remains) imprinted in the public’s memory as the poster child for bad data protection behavior.

To be fair, ChoicePoint has gotten its act together since that time. They hired a high-profile chief privacy officer, former Transportation Security Administration executive Carol DiBattiste, empowering her with real authority over issues related to compliance and data protection. ChoicePoint has also instituted sweeping change within the organization to address the conditions that led to the infamous breach. Their public communications have improved, as well, and they have made an effort to keep the public and market informed of these ongoing changes.

Observation: Where to begin? Any organization should, as a matter of course, conduct an objective audit of its operations and consider all the worst case scenarios and have a crisis communications plan in place, especially for situations where the worst case involves potential harm to people. ChoicePoint seemed to have had no such plan. Under these conditions you simply cannot wing it and expect to emerge unscathed. ChoicePoint’s reputation suffered severe damage, and it remains tainted by the incident. Going further, it is critically important to understand where your risk lies and take steps to address those areas before there is a problem.

What is the objective?

I promised an analysis of the Boston Globe's notification letter, stemming from the January 30 disclosure of subscriber credit card and bank routing data.

In general the letter, dated February 2, seems to cover all the bases, but there is one critical element missing from the letter (I'll transcribe the text in a separate post): addressing the concerns of the subscriber.

The letter begins with a synopsis of the situation, offers a brief explanation of the Globe's actions following discovery of the breach, then moves on to tell the recipient what he/she should do to protect themselves. There is a second page addendum entitled "Steps to take to protect your credit and identity."

Here is the problem I have with the letter:

The Globe is the party responsible for the breach, yet the emphasis of the letter is to place a burden on the affected subscriber. Apart from a closing paragraph that offers "our sincerest apologies for any inconvenience or concern that this incident may have caused you," there is no hint of regret on the Globe's part, or any attempt to address the most basic of questions most people would have upon learning of the breach. In fact, the weak mea culpa is followed by the line "Your business is very important to us." Not your safety or your financial well-being, but your business.

Speaking with my mother-in-law, she had many questions related to identity theft and credit fraud raised by the incident. Her questions, I imagine, were shared by the more than 200,000 subscribers who also received the letter. The Globe missed an opportunity to demonstrate true concern for these people.

Was the disclosed information sufficient for an individual to make fraudulent purchases? Was enough information disclosed to allow someone to create new credit accounts? What are the chances of credit fraud/identity theft happening to me as a result of this incident? Precisely what information was and was not disclosed? How did the incident happen and what steps is the Globe taking to ensure it does not happen again?

Recommendation: When a data breach occurs and people are affected, there is a loss of trust that takes place. The Ponemon Institute's recent 2006 Privacy Trust Study for Retail Banking shows that a single breach can result in 34 percent of a bank's customers losing faith in the bank's ability to protect personal information. It's not a far leap to conclude a similar loss of trust would be suffered by other businesses. Therefore, communications following an incident should do their best to offer sincere apologies, anticipate and answer questions, and demonstrate to the customer that decisive steps are being taken to safeguard their interests and ensure similar incidents do not take place again. Information to help the affected should be offered as a service, not positioned as the vendor's way of unloading responsibility.

And, of course, a plan should be in place to deal with such incidents before they happen. An audit should be undertaken to identify data management practices and policies, as well as the technologies deployed to protect data and enforce policy. And training and awareness programs developed and delivered to ensure a top-to-bottom understanding of each person's responsibility as part of the chain of data protection.

How does this happen?

Late in 2004 the Canadian Imperial Bank of Commerce made news when West Virginia junk dealer Wade Peer disclosed he'd been receiving confidential faxes from the bank containing customer account information.

Peer said he'd been trying to get the bank to stop because of the nature of the information and because the transmissions were so numerous as to disrupt his business.

At the time I recall thinking, "how does one manage to accidentally fax information to the wrong machine?" Especially in the CIBC/Wade Peer case, where a West Virginia salvage yard would seem to be an unlikely number for a Canadian bank to have in its Rolodex.

Similar incidents have been reported since that story first broke, and now this week we learn that Brigham & Women's Hospital in Boston has been faxing patient data to an investment bank across town.

As with the CIBC case, the recipient of Brigham & Women's faxes attempted, to no avail, to get the hospital to stop.

This is the second high-profile breach of personally identifiable information to come out of the Hub in the last two weeks. We're already following the Boston Globe's disclosure of more than 200,000 credit card accounts.

In the Brigham & Women's case, the breach goes beyond the usual credit data. Yes, published reports say that names, SSNs, and other PII necessary for credit and identity fraud were part of the transmissions, but medical data were also included, including information related to test results for sexually transmitted diseases.

How has Brigham & Women's responded to the breach so far? Not well.

The investment bank says they've contacted Brigham & Women's a dozen times over the last six months, and each time they have been told that the problem would be resolved. But it hasn't. Being called out in the media has gotten the attention of someone at Brigham & Women's, prompting them to issue a statement, which I have not found on the hospital's web site, nor have I been able to find via Google.

Considering the nature of the information disclosed, one would think that a hospital - especially one with Brigham & Women's stellar reputation - would want to reassure past and future patients that potentially damaging information will not be made public as a result of a stay in their facility. For the moment, I'll assume that the hospital is taking steps to identify and contact all affected patients. But apart from brief statements in the press, there is no such evidence.

So how does something like this happen? A clerical error, most likely. The wrong number saved on the office fax happens to reach the wrong fax machine elsewhere but, because the fax report indicates a successful transmission, no one notices. Until that is, the recipient calls the hospital to notify someone. At that point it would seem to be an easy problem to fix: find the erroneous number and change it.

In my opinion, the error is symptomatic of a larger problem: lip service paid to the issue of data privacy, but no pervasive action within the organization to raise awareness of how such breaches might occur. Had the seriousness of this issue been communicated within Brigham & Women's, from the top down through to all levels of the organization, the problem might not have happened in the first place, and would almost certainly have been fixed upon initial discovery.

Recommendation: Training and awareness. Technology is often the focus of data security, but the weakest link in this chain has been shown again and again to be people. And while a hospital clerk may have pushed the button in this case, the responsibility rests at the top of the organization. Without adequate support from the boardroom, security rarely filters down through to where it is needed most. Helping everyone in an organization understand their role in maintaining proper security and data privacy is an organizational imperative, and it starts at the top.

Against the Gods

I've been reading a fascinating book by Peter Bernstein called Against the Gods: the Remarkable Story of Risk. It's the story of the role risk has played in the history of the human race.

The book leads with a fascinating hypothesis - that before the concept of risk was formed, we as a species were creatures of habit, fear, and superstition. If one of our ancient ancestors successfully accomplished a task by doing one thing, he and all his tribe would continue to do that thing. When variables (such as weather) caused a different outcome than the expected, action was taken to appease the forces responsible.

The emergence of the concept and subsequent mastery of risk is what propelled our species over mountains and across the seas, led to the advancement of scientific discovery and the sophistication of the arts.

The mastery of risk is still a factor in business, and an important one in the realm of privacy, where those companies responsible for managing and protecting sensitive data seek ways to measure their level of risk, and then take the necessary steps to minimize their exposure to the downside.

Dr. Larry Ponemon has done a number of excellent studies to show the importance of responsible data management (and the consequences of failing to manage data responsibly), and many companies out there tout their ability to help organizations mitigate risk associated with data management, but I haven't seen a formula or methodology that helps companies truly measure their level of risk.

The Ponemon Institute conducted a post-mortem study of data loss events from 2005, based on disclosures under California SB 1386, and found that it can cost companies as much as $1,000 per data file when a privacy breach occurs, and that the average total cost for such a breach is about $14 million. The potential for an organization to come out on the bad side of risk, however, is much different than that organization's total exposure. A lack of understanding of the level of risk often leads to poor decision making. A lack of knowledge related to the factors contributing to an organization's level of risk can also lead to bad decision making.

But as companies in possession of PII go racing for the panic button, there is an opportunity for solutions providers to communicate their value. When that value is offered in terms that are attainable -- described in ways that put the problem/solution equation in real terms rather than merely offering jargon-addled hyperbole -- the effort to establish credibility is made simpler.

Recommendation: Direct, simple communication works best when dealing with elusive, intangible concepts. Identify the problem within a context that makes sense, show the risk involved, and draw clear lines between the problem(s) and the ways you can address the issue. Back it all up with credible, corroborating research from trusted sources.

And if you have a formula for calculating an organization's level of risk, let me know.

Boston Breach, Continued...

Continuing to look at the Boston Globe/Worcester Telegram & Gazette breach, I learned that my mother-in-law was one of the affected subscribers. I spoke with her at length last week when I learned of her situation.

I suspect my mother-in-law's experience is fairly representative of most whose credit card or banking data was compromised by that event on the morning of January 30. She heard of the breach from a news report and found out on her own, four days later, that her credit card data was among those on printouts used to wrap bundles of the paper for morning delivery.

After calling the Globe's hotline to confirm, she took appropriate action with her credit card company, but when I spoke to her she seemed to have more questions about the integrity of the personally identifiable information. Was her Social Security Number disclosed? What about her address?

She still has not received a notification letter from the Globe, but I will obtain a copy of that document when it arrives and offer an analysis of its content.

Massachusetts does not have a credit breach notification law, but precedent set nearly a year ago by ChoicePoint all but demands that organizations responsible for the breach of PII in their care take steps to notify affected consumers. Senator Jarrett Barrios is calling for a new state law to address the situation. Federal lawmakers are all but certain to pass a national law that will supersede individual state laws addressing this issue.

Once I have had a chance to read and analyze the Globe's letter of notification, I'll give you my thoughts.

Lead by Example

I promised myself I wouldn't overdo it in the opening days of this forum, but in my original draft of "Shameless" I closed with a local breach that is making national headlines. I felt I had to give the event more play, so I cut it out and pasted into this entry.

Four days ago, here in Massachusetts, the Boston Globe and Worcester Telegram & Gazette experienced a breach of their own when printouts of subscriber credit card data and checking account routing numbers were used to wrap bundles of newspapers Sunday night for Monday morning delivery.

How are two newspapers handling the communication of this event with their subscribers and the public in general? Thus far I haven't seen anything that impresses me. A press release and a story by their own staff. The Associated Press story (linked above) and other stories, such as the one carried by cross-town rival Boston Herald suggest little effort beyond the minimum to reassure potential victims about what is being done to protect them and minimize their risk. Meanwhile, reports that spokespeople for the papers are refusing requests for interviews with broadcast media are circulating.

Suggested course of action? The Globe and T&G should lead by example here. They should actively engage their customers and the public to discuss the issue and what they are doing to address the situation, and they should respect the requests of their colleagues in the media. They learned of the breach the morning of January 30 and, with 24 hours to prepare for disclosure, both papers should have had a notification plan in place that included a thorough media strategy.

Four days into this event there is no evidence to suggest that either organization, both of which are owned by the New York Times, gave any thought to a crisis communications strategy beyond meeting their minimum obligation. It's a missed opportunity for a pair of newspapers that dominate their markets and, as such, have a unique platform for communicating to their customers and the public.

Shameless

I'll begin this dialog with a shameless bit of self promotion, but one that conveys the motivation behind this effort.

Last May I was interviewed for an article in the Peppers & Rogers newsletter Inside 1to1: Privacy on the importance of communicating issues related to privacy. In the article I made the point that, like a nervous parent addressing the birds and the bees with a child, many companies are uncomfortable with raising the issue of privacy protection with their customers. They put it off and hope that things will take care of themselves.

Unfortunately, as with sex, obtaining an education on the street may have dire consequences. And the regret of many a parent is that they didn't have the first conversation, because the one they are now forced to have is a lot more painful.

Would you prefer that your customers learn what steps you are taking to protect them, or hear sensational stories of credit fraud and identity theft, hackers and spyware, and become fearful of building a more trusting (read: profitable) relationship with you?

Communication is the key to establishing a trusting customer relationship, whether that customer is a grandmother living in some dusty Midwestern town, or a Fortune 500 corporation in the heart of New York City.

In the coming weeks I'll revisit some of the data breaches that have happened since ChoicePoint to see what we can learn from those cases, and I'll track other events as they happen to offer analysis and recommendations in as close to real time as a blog allows.

I suspect there will be no lack of examples. The Privacy Rights Clearinghouse has tracked more than 100 privacy breaches, exposing more than 50 million files containing personally identifiable information since ChoicePoint.

The hits just keep on coming.

About Me

I figure I should start things off with a little bit about me so that you'll know why I feel qualified to blog on issues related to PR, privacy, and data security.

I've been a writer and public relations flak for the better part of the last 15 years. Not that length of service necessarily defines me as a maven on any particular topic, but it at least demonstrates that I'm smart enough to have remained consistently and gainfully employed or otherwise engaged during most of my adult life.

Prior to that I spent four years as an intelligence analyst for the US Navy. There were a few intervening years spent narrowly avoiding serious injury in construction as well as working my way through college at the University of Southern Maine. I'm also a passionate fly angler, spending as much time as I can find casting to any number of species that swim in the waters of my native New England (striped bass, largemouth bass, sunfish, and pickerel, primarily), or traveling to places such as Alaska or Nova Scotia for different challenges afield. Often gratuitous, occasionally relevant, you'll notice angling references in my work from time to time.

In April of 2003 my career path brought me to York, Maine and the International Association of Privacy Professionals where I served as newsletters editor until July of last year. Today I am happily knocking around as a consultant and freelance writer.

During my 27 months with the IAPP I had an opportunity to become intimately involved in one of the more formative business issues in recent years: data privacy.

At first glance data privacy seems (and seemed to me at the time) to be one of those esoteric subjects that deserves little more than obligatory consideration; leave it to the lawyers, and don't take too much of my time.

But timing is, indeed, everything.

I joined the IAPP shortly after the appointment of Trevor Hughes as executive director, and at a point when numerous events were converging and gathering critical mass. Regulations such as HIPAA, GLBA, and SOX were nearing critical deadlines; the emergence and early adoption of RFID technology was happening; California's SB 1386 was about to become law, putting a number of events in motion that would culminate with the ChoicePoint debacle... it was a fascinating and exciting time to get involved, and under Trevor's leadership, the IAPP quickly established itself as the leading voice in privacy.

Before long, I found myself immersed in the issues and involved in the community. My writing and opinion on various issues were finding an audience and gaining respect. I met people who would have a profound impact on my work and who would become friends as well as colleagues. I achieved certification as an Information Privacy Professional (CIPP).

Most importantly, I maintain an active dialog with my friends and colleagues within the privacy community. We often discuss the hot topics of the day, and it is that dialog I hope to share with you. In addition to my opinions, observations, and occasional rantings about privacy and data security, I'll share insights from my network.

I look forward to sharing this space with you, offering my insights, and introducing you to some of my friends. Over time, I hope to have an influence on your perspective, and I look forward to hearing what you have to say.

Mike