Corporate apologies don’t mean much

Data breaches force company executives to apologize; but a bad apology can make things worse

There are so many ways to say you’re sorry. And few organizations have had as many opportunities to apologize over the past two years as those that handle the sensitive personal information of Americans.

There are so many ways to say you're sorry. And few organizations have had as many opportunities to apologize over the past two years as those that handle the sensitive personal information of Americans.

Since the beginning of 2005, the Privacy Rights Clearinghouse has kept a running total of publicly disclosed data breaches that expose information potentially useful to identity thieves, such as Social Security numbers, credit card account numbers and driver's license numbers. On Dec. 13, the theft of a Boeing laptop containing the personal information of 382,000 current and former employees brought the total number of U.S. data breach victims to more than 100 million.

Security expert and author Bruce Schneier has said he thinks “everyone in the U.S. has been the victim of at least one of these already."

Companies in damage control mode offer a range of apologies, some that sound sincere and others that appear to deflect blame. Network World compiled a list of 10 data breaches and resulting apologies (see accompanying story), and asked team members at Perfect Apology to rate each one in our list. They were not impressed by the mea culpas.

“Many of the CEOs made the same standard mistake," Perfect Apology writes. “They passed the buck by assigning most of the responsibility to other forces or actors, and by emphasizing 'regret’ rather than expressing a sincere and credible apology for their company’s failure to meet their customers’ reasonable security needs and expectations."

The makers of Perfect Apology do not reveal their real names, but say they come from a variety of backgrounds: a teacher and writer on international relations, nuclear proliferation and global terrorism; a chief strategy officer for a dot-com company in Silicon Valley; and a database administrator. They say they used their “collective expertise in research and problem solving" to examine apologies offered by celebrities, athletes, government leaders, business executives and the Pope. Every mistake has a “perfect apology," they claim.

ChoicePoint, which agreed to pay $15 million in penalties after 163,000 consumer records were compromised in 2005, earned a good review from Perfect Apology by detailing steps taken to prevent a reoccurrence and for apologizing to consumers affected by fraudulent activity.

Boeing, on the other hand, earned Perfect Apology’s lowest score for a non-apology issued by CEO Jim McNerney after the laptop theft exposing sensitive employee information. Instead of taking responsibility, McNerney wrote in an e-mail to employees that “I’m just as disappointed as you are about it."

“None of the apologies acknowledges any real responsibility for the loss of security," Perfect Apology writes. “Also, very few of these apologies explained what the company was prepared to do to prevent the same thing from happening again."

Companies that expose data could take a cue from JetBlue, an airline that drafted a customer bill of rights after recent flight delays left passengers stranded aboard planes for hours.

JetBlue’s apology didn’t try to minimize the company’s failures. “Dear JetBlue customers. We are sorry and embarrassed," it reads. “Last week was the worst operational week in JetBlue’s seven-year history. . . . Words cannot express how truly sorry we are for the anxiety, frustration and inconvenience that we caused."

The actions and words of JetBlue founder and CEO David Neeleman amounted to the “perfect business apology," and will likely become a generally accepted standard for businesses that find themselves in hot water, according to Perfect Apology.

JetBlue’s apology was also deemed effective by no less an authority than Peter Post, great-grandson of famed etiquette expert Emily Post and director of the Emily Post Institute in Vermont. In very clear language, JetBlue officials said they were sorry and explained what they did wrong and how they would fix the problems.

“Look at the interviews that happened after that with people; it was like they couldn’t blast [Neeleman] anymore,“ Post says. “We all make mistakes. JetBlue overall has handled that very very well."

Companies often make apologies that seem insincere. “We apologize if anyone was affected," is a common variation on the theme. Or executives will say they regret something that has happened instead of saying they are sorry. Using the word "regret" gives the appearance of “skirting around the issue," Post says.

Legal concerns may cause executives to think if they apologize it will be seen as an admission of guilt. Post acknowledges that his expertise is with etiquette rather than law, but he says there must be a way for people to apologize sincerely without opening themselves up to further legal troubles.

Companies trying to minimize the fallout from data breaches must take responsibility for what they did, notify people about whether their personal information has been exposed, and say exactly how they plan to fix the problem, he says.

There will no doubt be many more opportunities for company executives to practice saying “I’m sorry." And if they do it right, Post says, they will be forgiven.

“Americans are really funny people," he says. “They love apologies. If you apologize in America, sincerely apologize in America, the public will forgive you. They’ll forgive almost anything."

Learn more about this topic

A brief history of data-breach apology letters03/14/07

See our archive of offbeat and amusing Wider Net stories

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.