Corporate apologies don't mean much

There are so many ways to say you're sorry. And few organizations have had as many opportunities to apologize over the past two years as those that handle the sensitive personal information of Americans.

Since the beginning of 2005, the Privacy Rights Clearinghouse has kept a running total of publicly disclosed data breaches that expose information potentially useful to identity thieves, such as Social Security numbers, credit card account numbers and driver's license numbers. On Dec. 13, the theft of a Boeing laptop containing the personal information of 382,000 current and former employees brought the total number of U.S. data breach victims to more than 100 million.

Security expert and author Bruce Schneier has said he thinks “everyone in the U.S. has been the victim of at least one of these already."

Companies in damage control mode offer a range of apologies, some that sound sincere and others that appear to deflect blame. Network World compiled a list of 10 data breaches and resulting apologies (see accompanying story), and asked team members at Perfect Apology to rate each one in our list. They were not impressed by the mea culpas.

“Many of the CEOs made the same standard mistake," Perfect Apology writes. “They passed the buck by assigning most of the responsibility to other forces or actors, and by emphasizing 'regret’ rather than expressing a sincere and credible apology for their company’s failure to meet their customers’ reasonable security needs and expectations."

The makers of Perfect Apology do not reveal their real names, but say they come from a variety of backgrounds: a teacher and writer on international relations, nuclear proliferation and global terrorism; a chief strategy officer for a dot-com company in Silicon Valley; and a database administrator. They say they used their “collective expertise in research and problem solving" to examine apologies offered by celebrities, athletes, government leaders, business executives and the Pope. Every mistake has a “perfect apology," they claim.

ChoicePoint, which agreed to pay $15 million in penalties after 163,000 consumer records were compromised in 2005, earned a good review from Perfect Apology by detailing steps taken to prevent a reoccurrence and for apologizing to consumers affected by fraudulent activity.

Boeing, on the other hand, earned Perfect Apology’s lowest score for a non-apology issued by CEO Jim McNerney after the laptop theft exposing sensitive employee information. Instead of taking responsibility, McNerney wrote in an e-mail to employees that “I’m just as disappointed as you are about it."

“None of the apologies acknowledges any real responsibility for the loss of security," Perfect Apology writes. “Also, very few of these apologies explained what the company was prepared to do to prevent the same thing from happening again."

Companies that expose data could take a cue from JetBlue, an airline that drafted a customer bill of rights after recent flight delays left passengers stranded aboard planes for hours.