Comment by WaitWaitWha
3 days ago
This already happens every single time when there is a security breach and private information is lost.
We take your privacy and security very seriously. There is no evidence that your data has been misused. Out of an abundance of caution… We remain committed to... will continue to work tirelessly to earn ... restore your trust ... confidence.
What else would you see them do or say beyond this canned response? The reason I am asking is because people almost always bring up how dissatisfied they are with such apologies, yet I’ve never seen a good alternative that someone would be happy with. I don’t work in PR or anything, just curious if there is a better way.
clear, direct description of what happened
exactly what data was exposed
what they failed to do (we used cheesy email, SMS as MFA, we do not monitor links in our internal emails)
concrete remediation commitments (we will stop using SMS for MFA, use hard tokens or TOTP or..., stop collecting data that is not explicitly needed)
realistic risk explanation (what can happen what was lost)
published independent external review after remediation/mitigation
board-level accountability (board pay goes for fix and customer protection, part of the audit results)
customer protection (3 - 5 years?), not just 'monitoring'
and most importantly, public shaming of the CxO and the board of directors
Not apologize if they don't actually care. An insincere apology is an insult.
Harvesting data and failing to even secure it should not be acceptable in society. It should be ruinous to the company and the people who run it.
Lose money accordingly - fines, penalties, recompense to victims, whatever... - so they then take the seriousness of security into account.