10 Of the Laziest Breach Notification Phrases That Just Need to Go

According to a recent survey, three quarters of consumers would drop a company that compromised their data. What’s more, according to an article published in Security Magazine, at least two-thirds would no longer trust a service provider in the aftermath of a data breach. This being a US study, one could surmise that many consumers have ample choice of competitors, but in the sparse Canadian market where oligopolies are the norm within banking, utility, telecommunications and many other sectors, consumers would largely fall into the latter category. It seems eminently surprising therefore, that given the small market size and likelihood of irreversible brand damage, Canadian companies that have been hit by cyber breaches would consciously choose to regurgitate apologetic statements that seem from all perspectives to be less than helpful.

Heroic stance against extortion or lack of access to breach coaching?

Companies that lose vast amounts of information but categorically refuse to negotiate with extortionists ultimately end up not paying any ransom because it would mean “rewarding criminal activity”. Such a course of action always seems to indicate a basic failure to understand the meaning of “risk minimization”, particularly as one considers that such payment arrangements are almost always covered by a simple cyber insurance policy. After a company demonstrably fails to protect the private data of customers, should it not do its best to reduce the chances of the data being misused, or should we take that staunch stance as a tacit indication of a lack of insurance coverage? Another example of excuse for inaction is the popular quip: “there’s no guarantee that we’ll get your data back, so we will not be paying the ransom”. Have you asked the victims whether that’s an argument they’re willing to support? Studies by Kaspersky and others show that upwards of 50% of paying customers get most or all their data back, so why intentionally choose to give up on 100% of it?


How many ways to say "we messed up and you're not getting your data back" are there?

It’s time to give up on the fatuous, insulting phrases that have come to define acquiescence of negligence on the part of companies whose inattention has led to the compromise of the personal identities they have been entrusted with. The human beings whose private data was compromised deserve better, so I propose a running list of the phrases that we should all become allergic to, in anticipation of the next letter of apology to hit our mailbox: In order of frequency, here are some explanations of breaches that range from “there’s nothing to see here” to “your data is important to us, but not important enough for us to pay to get it back”. In all cases, the identity of the company has been left out of an abundance of kindness:

  1. The downtime is due to an "operational issue".
  2. The breach is still under investigation and we will share more information when it is complete.
  3. Out of an abundance of caution we strongly advise users to change all their passwords.
  4. Bad actors have gained limited access to certain systems, but we will not pay the ransom.
  5. We apologize for any inconvenience.
  6. There is no indication that the (stolen) information is being misused.
  7. Only emails and names have been improperly accessed.
  8. The protection of customer data is very important to us.

Seen any choice phrases that might be triggering? Send them to me and I’ll update this list. The bottom line is that transparency, at least in modern times, appears to be a rarity. In many cases, breach notification letters seem to try to strike a balance between fulfilling a legal requirement and dissuading the victims from retaliatory action. Would it not make most sense to write a genuinely heartfelt letter that not only explains that every measure is being taken to correct the issue, but also resonates with potential customers that will almost certainly stumble upon it in the future? Either way, the Internet never forgets, so both companies and consumers are advised to choose wisely.