Here are 10 examples of data breaches and the resulting apologies issued by companies, universities, and one government agency. After each apology, the team from the Web site Perfect Apology weighs in with a detailed evaluation and ranking on a 10-point scale. Read through the list to find out who scored a -3 on the Perfect Apology scale.
Breach: Johns Hopkins of Maryland learned in January that eight backup computer tapes containing sensitive personal data -- including Social Security numbers and bank account information -- from about 52,000 university employees had been lost, and a ninth tape containing less sensitive data about 83,000 hospital patients also had been lost. Johns Hopkins said the tapes had been sent to a contractor’s facility in December, but a courier company hired by the contractor probably had left the tapes at another stop. The tapes were probably had been collected as trash and incinerated.
Apology: “Both The Johns Hopkins University and The Johns Hopkins Hospital deeply regret this occurrence and apologize to those whose personal information may have been at risk of disclosure.”
Perfect Apology ranking: 3. The apology expresses “regret” for “this occurrence,” but only acknowledges the possibility that personal information “may” have been at risk. There is no clear or credible apology for their failure to provide the requisite level of information security, nor is there an acknowledgement of the obligation or responsibility they have to provide that kind of protection.
Breach: A laptop containing the names, salary information, Social Security numbers, home addresses, phone numbers and birth dates of 382,000 current and former employees was stolen from an employee’s car in early December. Boeing fired the employee and the laptop was recovered in late January.
Apology (e-mail sent to employees by President and CEO Jim McNerney): "I've received many e-mails over the past 24 hours from employees expressing disappointment, frustration, and downright anger about yesterday's announcement of personal information belonging to thousands of employees and retirees being on a stolen computer. I'm just as disappointed as you are about it. I know that many of us feel that this data loss amounts to a betrayal of the trust we place in the company to safeguard our personal information. I certainly do."
Perfect Apology ranking: -3. This is by far the weakest and probably most counterproductive apology in the list. It actually starts by acknowledging the absence of any real reason to apologize. The CEO’s response indicates that he spent 24 hours reading e-mail complaints instead of immediately working on a letter apologizing to his employees. In other words, he needed hundreds of e-mail complaints to get the point.
Perhaps the most serious error in judgment is the CEO’s decision to equate the anger and frustration of hundreds of thousands of employees with his own hurt feelings -- “Many of us feel . . . a betrayal of trust we place in the company to safeguard our information.” Comparing his grief with that of 380,000 employees is the worst illustration of shirking that responsibility.
There was absolutely no apology here to rank, and, if anything, the CEO’s statement probably made things worse.
4. University of California, Los Angeles
Breach: Hackers gained access to a UCLA database containing the personal information of 800,000 current and former students, faculty, staff, parents and applicants, including Social Security numbers, birth dates, home addresses and contact information.
Apology (letter issued Dec. 12, 2006): “Dear friend, . . . UCLA computer administrators have discovered that a restricted campus database containing certain personal information has been illegally accessed by a sophisticated computer hacker. . . . I regret having to inform you that your name is in the database. . . . We have an obligation to safeguard personal information, an obligation that we take very seriously. I deeply regret any concern or inconvenience this incident may cause you.”
– Norman Abrams, acting chancellor
Perfect Apology ranking: 2. The chancellor “regrets the inconvenience” and blames the “incident” on “illegally accessed” information by a very smart and “sophisticated computer hacker.” Again, the statement attempts to pass the buck by refusing to acknowledge responsibility for the administration’s failure to secure the information.
This was a letter of information, not really a letter of apology.
5. Chase Card Services
Breach: Computer tapes containing the personal information of 2.6 million current and former Circuit City card holders were mistakenly thrown out. After an investigation, Chase said in September 2006 that it believed the tapes had been compacted, destroyed and buried in a landfill where the trash was taken.
Apology (from Chase press release): “We deeply regret that this has occurred and apologize to those impacted. We have found no evidence that the tapes or their contents have been accessed or misused. The privacy of our customers’ personal information is of utmost importance to us, and we take the responsibility to safeguard this information very seriously.”
– Rich Srednicki, CEO of Chase Card Services.
Perfect Apology ranking: 3. CEO “deeply regrets” the incident and apologizes to those “impacted,” without an explanation for why the CEO should be apologizing in the first place. The letter goes on to express what amounts to a defense by stating that there is no evidence that information “was accessed or misused.” A stronger, more credible apology would have pointed out that the absence of such evidence is irrelevant to the obligation and responsibility the company has to prevent these security breaches in the first place.
6. U.S. Department of Veterans Affairs
Breach: In May 2006, a laptop and computer storage device containing the names, Social Security Numbers and dates of birth -- and in many cases phone numbers and addresses -- of all veterans discharged since 1975 were stolen from a VA employee’s home. Data from 26.5 million veterans and 2.1 million active and reserve service members was exposed. The stolen equipment was recovered a month later.
Apology (mailed to veterans June 2006): “We apologize for any inconvenience or concern this situation may cause, but we at VA believe it is important for you to be fully informed of any potential risk resulting from this incident. Again, we want to reassure you we have no evidence that your protected data has been misused. We will keep you apprised of any further developments. The men and women of the VA take our obligation to honor and serve America's veterans very seriously and we are committed to ensuring that this never happens again.”R. James Nicholson
Secretary of Veterans Affairs
Additional information: In February 2007, an employee of the Birmingham VA Medical Center in Alabama reported the theft or misplacement of a portable hard drive containing the personal information, including Social Security numbers, of 535,000 veterans. Also exposed was billing information for 1.3 million doctors, including names and Medicare billing codes.
Perfect Apology ranking: 1. This ‘apology’ makes one of the biggest mistakes -- “We apologize . . . but . . .”, followed by an explanation for why the apology isn’t really required. The Secretary goes on to imply that “We have no evidence . . .” that veterans deserve an apology. He claims to be committed to “ensuring this never happens again,” yet provides no clear indication of what they plan to do. What makes this apology so weak is the additional information regarding a repeat of the exact same mistake in February, 2007, eight months later.
7. Texas Guaranteed Student Loan Corp.
Breach: In May 2006 a subcontractor hired to prepare a document-management system lost equipment containing the names and Social Security numbers of 1.7 million borrowers. Hummingbird, the subcontractor, said one of its employees had downloaded a series of files, decrypted them, and stored them on password-protected equipment that was later lost.
Apology: “All of us at TG regret the frustration and concern this recent equipment and data loss may cause our customers.”
Perfect Apology ranking: 1. Better than nothing. “Regrets the frustration” this incident “may” have caused. Should have acknowledged the pain and frustration the mistake probably did cause, regardless of whether or not the effects were serious or widespread.
8. The Boston Globe and Worcester Telegram & Gazette
Breach: Confidential credit and bank account information of as many as 240,000 subscribers was inadvertently disclosed on the back of slips used to label bundles of the Worcester Sunday Telegram.
Apology (issued Feb. 1, 2006): “Dear Boston Globe Subscribers, we regret to tell you of an unfortunate event that occurred over the weekend which we are working diligently to address. . . . We deeply value the trust our subscribers place in us and are working diligently to remedy this situation. Immediate steps have been taken internally at The Globe and the Telegram & Gazette to increase security measures for protecting customers’ confidential information. We regret the inconvenience that this incident may cause.”
Richard H. Gilman
Perfect Apology ranking: 4. Regrets, but no clear apology offered. However, unlike some of the other weak apologies, this one does at least express a clear understanding of the anguish felt by subscribers, and claims to be taking “immediate” steps to increase security.
9. Bank of America
Breach: The company lost computer data tapes containing the personal information of as many as 1.2 million federal employees, including U.S. senators. “The lost data includes Social Security numbers and account information that could make customers of a federal government charge-card program vulnerable to identity theft,” the Associated Press reported in March 2005.
Apology (quoted in AP story): “We deeply regret this unfortunate incident. The privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously.”
– Barbara Desoer, chief of technology, service and fulfillment for Bank of America
Perfect Apology ranking: 2. The expressions of “regret” in all of these apologies are beginning to look a little scripted. Offers the same, almost standardized approach to issuing a very brief nonapology. In this case there was no effort to provide information explaining what the bank will do to fix the problem, and no indication that the bank appreciates the importance of at least attempting to reestablish trust. When compared with the same scripted apology by The Boston Globe, this one is less impressive and a little too brief.
Breach: The records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company’s database of personal information. ChoicePoint agreed to pay $10 million in civil penalties and $5 million for consumer redress. The company also decided to limit the sale of information products containing sensitive consumer data, including Social Security and driver’s license numbers.
Apology (March 4, 2005): “We apologize again to those consumers who may be affected by the fraudulent activity. We remain committed to helping them take active steps to protect their personal data and to assisting law enforcement officials who are investigating the attacks on consumers’ identities.”
– ChoicePoint chairman and CEO Derek V. Smith
Perfect Apology ranking: 7. Compensation included $15 million. Officially apologizes to (and compensates) customers who have been directly affected, as well as those who “may be affected.” Acknowledges plans to address the problem by changing policy, working with law enforcement and limiting sale of information in the future.