Telling Customers the Bad News

When and how to get the word out that your security's been breached Inc. faced a nightmare before Christmas when, on Dec. 18, executives at the online technology retailer discovered that a hacker had accessed its computer systems. To make matters worse, within the first 24 hours they found out that the compromised systems included the databases that hold customer credit card information. CEO and President Jeff Sheahan quickly made a decision: To head off attempts at fraud, he would share the bad tidings with customers and key partners. By the end of that week, the e-tailer, of Menlo Park, Calif., had sent e-mail from Sheahan to 3.3 million past and present customers and issued a press release that prompted news stories nationwide.

It was one of the few and most notable examples to date of a company informing customers soon after an Internet security breach. But the experiences of and others that have gone public about security lapses offer valuable lessons for e-businesses.

As online consumers become more concerned about security and privacy issues and as new privacy laws go into effect, most e-businesses should decide in advance when and how to communicate with customers and business partners when a security breakdown occurs, experts say. Online businesses should be careful not to overreact by issuing public statements that could serve to expose them to more break-ins. But, experts say, in cases where customer information—whether credit card numbers, addresses or other records—is exposed, companies have a responsibility to tell their customers.

If no customer information is compromised, or companies arent sure of the exposure, the appropriate response is murkier. Above all, e-businesses cant ignore the issue any longer and must develop policies and procedures for communicating security breaches to customers.

"As a rule, [companies] really dont want this information to get out," said Fred Rica, a partner in global risk management solutions for PricewaterhouseCoopers, in Florham Park, N.J. "Theyre afraid of eroding customer confidence and afraid that other people may try to exploit that security breach again."

No Doubt has been an excep- tion to that rule. The company started getting the word out in the few days after the breach by contacting the major credit card companies with which it works. told them to be alert to the possibility of fraudulent charges and to consider reissuing customers cards.

The next step was to reach customers. took a two-pronged approach Dec. 22, sending the customer e-mail and informing the media. The security hole made headlines, some unflattering. And some customers complained that they wanted even more. But Sheahan said the publicity was worth it.

"There was never any doubt this was the right way to go," Sheahan said. "I have a personal belief that when youre open and honest with people, good things generally happen."

With its uncommonly open approach, may have avoided a larger sales and public relations disaster. Sales for the week between Christmas and New Years—right after the disclosure—met the companys pre-hack expectations, Sheahan said. As of press time, had yet to report its fourth-quarter 2000 earnings, which could offer more details on the security breachs effect.

But, experts say, e-business managers should resist going public with information about security breaches unless theres a strong indication that customer information has been compromised. Public statements can alert hackers to your security vulnerabilities, and the more hackers know about a companys security methods, the easier it can be for them to attack systems.

Companies might be better served by solving certain internal security problems discreetly, PricewaterhouseCoopers Rica said. Examples include a virus attacking a companys e-mail system or hack attempts thwarted before they do significant damage.

Well-known sites face five or six hack attempts on most days, said Simon Perry, vice president of security services at Computer Associates International Inc., in Islandia, N.Y. Most companies dont want to alarm customers about each attempt. But if customer privacy is at risk, proactive communication is the best defense, experts say.

Also, for public companies, if a security breach could affect the companys financial performance, then it needs to warn shareholders of the risks, said John Pescatore, an analyst at Gartner Group Inc., in Stamford, Conn.

Even in cases where customer information remains safeguarded, companies should be ready to discuss their security problems publicly. The defacement of a companys Web site or denial-of-service attacks, for example, can grab customer attention. Hackers and the media are eager to disclose such incidents. E-businesses that find themselves subject to such unwanted attention should be prepared to explain what happened and how the situation is being fixed, experts say.

Companies such as LP discovered how quick the media is to notice breaches. Late last month, the site accidentally revealed the names and addresses of about 40,000 site visitors who participated in online contests. The Fort Worth, Texas, online travel services company learned of its mistake from media reports and then issued a public statement about the problem.

"Thats the environment were in right now, and its a very new environment especially for IT experts who are used to dealing with IT and security issues as an internal issue," said Thomas Barritt, senior vice president and director of issues management at public relations company Ketchum, a subsidiary of Omnicom Group Inc., in New York. "Now the public knows much more about it and knows the risk about providing personal and financial information online."

Be Prepared

While experts praise companies such as for communicating quickly with customers, they add its not enough just to react to security breaches. Long before theres a problem, companies need to come up with policies and procedures for how they will handle customer and media communications as part of their Internet security plans, experts say. That was one step hadnt taken before its crisis. Sheahan said the company has since turned what it learned into guidelines for communicating security problems.

When a company decides to inform customers of a security breach, it needs to be careful about what it says. It must make it clear it is taking action to solve a security problem and be upfront about what risks customers face, Gartners Pescatore said.

Once the word is out, companies must remember that customers will want continual updating. That was one crack some customers found in Egghead.coms approach. After its initial e-mail to customers Dec. 22, the company waited until Jan. 8 before providing any direct update. That led some news outlets to write about customer frustration in waiting for to tell them whether their credit card numbers were fraudulently taken.

For Bill Caswell, an customer who found a fraudulent charge on his credit card bill, the e-mails didnt provide enough information. Caswell, of Silver Springs, Md., wanted details on what type of charges to look for on his credit card bill. He called his credit card issuer once he noticed a bizarre charge from a Russian telecom company. His bank blamed the hack.

For its part, has acknowledged that about 7,500 of its customers reported fraudulent charges, but the company maintains that none were linked to its breach and could have occurred from other companies security problems. officials said they were limited in what they could tell customers after the companys first e-mail because the hack had led to an investigation by the Federal Bureau of Investigation, Sheahan said. Also, Sheahan said that he delayed updates because he wanted security experts brought in to diagnose the problem to first find out what was compromised.

At the same time, assigned about a dozen customer service representatives to handle customer calls about the security issues.

With the heightened awareness of security and privacy and an economy beating up on dot-coms, e-businesses cant afford to lose customers. They must be prepared to share bad news with customers when security failure comes, said Deborah Pierce, a staff attorney for the Electronic Frontier Foundation, an advocacy group in San Francisco.

"If companies are serious about wanting to build trust on the Net, then this is one of the key places where they can prove it," Pierce said.