Privacy Problems

Someone swiped my personal information last month, along with thousands of others who subscribe to non-profit online newsletters. The American Museum of Natural History informed me that the database company they use to manage my account (Convio) had been infiltrated. It may not be the most exciting aspect of public relations, but understanding how to communicate mistakes and risk to customers is an incredibly important part of our work.

Data security is a tough business. Last month personal information about 25 million Britons was lost by a government agency. The museum may have lost my username and password, but all those Britons lost things like bank account numbers and the British equivalent of social security numbers. It’s a major story in Britain, with the Prime Minister losing a great deal of public confidence in its aftermath. One official has resigned, and one junior official has been publicly blamed for not following protocol. That blame may backfire, however, as recent reports indicate that more senior officers may be scapegoating the junior staff member. The Prime Minister has ordered all departments to review their systems by December 10, but reports are already circulating about deep systemic problems that point to serious privacy concerns.

Governments seem to have a tough time keeping track of personal data. Recently the Bush Administration backed off a rule that would require employers to validate social security numbers within 90 days by comparing employee records with the national social security database. The Administration was forced to backpedal when it was confirmed that the social security database was riddled with errors.

All this makes my newsletter security breach look minor. Opinion polls persistently show that the public cares deeply about privacy, so the rapid impact on the Prime Minister’s public confidence level is predictable. Anyone who is collecting personal information, whether that be donor files, online newsletter subscriptions, client files, or other private information needs to have a professional communications plans in place related to privacy and security.

I tracked the correspondence I received about the newsletter and checked it against my own reaction as a consumer. From the start I had three questions on my mind - what information of mine got stolen? What can I do? Can I still trust the museum and others involved to keep my information private in the future? On the whole, those three questions were answered simply and repeatedly.

Convio became aware of the problem on Nov 1 - though the system had been hacked as early as October 23. Convio began notifying its 92 impacted non-profit clients a few days later, and sent its first correspondence to impacted customers on November 4. Some security critics have said this response was slow - others praise Convio. Starting November 4 some (not many) of the impacted clients decided to notify their subscribers.

Media coverage was relatively limited - since the clients were non-profit organizations, the philanthropy and technology press took the greatest interest. Convio CEO Gene Austin’s message in the Chronicle of Philanthropy was: “… immediate security upgrades have eliminated the threat of a repeat attack, Mr. Austin says. “We wish it hadn’t happened, but we’re dealing with the information we have and improving ourselves because of it.”

I received emails from two organizations and Convio. The museum was the last to send me an email, which I found slightly annoying given the importance of taking swift action to prevent the misuse of the stolen data. The messages were consistent across all three organizations, likely because Convio had given advice and guidelines to impacted organizations about the communications. Since Convio didn’t list all the organizations involved in the breach, I was left wondering who might not have bothered to send me an alert. In fact some bloggers claim that most of the impacted organizations did not alert their subscribers.

In the end, I didn’t cancel any subscriptions and I did take the recommended advice. Convio seems to have avoided a major media disaster - for example, the Convio story hasn’t been linked to other major stories such as the UK situation.

In this case, Convio and the organizations that notified their subscribers followed the classic formula for crisis communication:

- Be proactive in bringing information and recommendations to consumers.
- Be authentic (for example, don’t scapegoat a junior employee).
- Take bold action to prevent further occurrences.

Postscript:
One day after I wrote this entry, the New York Times published a story about the security breach. The article criticized the organizations who did not notify their subscribers.