It's Not The Size Of The Data Breach That Matters: All Of Your Customers Are Affected

The oft-forgotten element of the endless procession of consumer data breaches is how companies manage the aftermath. It's an undertaking that can be summed by two words: Damage control. And one company that found itself on the wrong end of a breach last month--Marriott Corp.--is only getting half of the effort right.In the case of customers whose data is known to have been compromised, the choices are relatively simple. The companies in question have to do everything in their power to communicate with those customers, keeping them in the loop about efforts to plug the wholes and find the data, and helping them deal with the consequences. Where things are a bit more complicated is with customers whose data appear to have been unaffected.

Marriott's timeshare unit--which lost backup tapes containing customer records late last month--has handled the first group adequately by doing things such as offering free credit-monitoring services for a year. But when it comes to the second group, Marriott is providing exhibit A of how not to put that segment at ease.

InformationWeek's cover story on this topic last week, "Sad State of Data Security," included some input from a Marriott Vacation Club International customer, Vic Christensen, owner of a Marriott timeshare unit, who said he'd have a hard time trusting the company again, even if it proclaimed his data safe. The fact that the company had said on its Web site that only customers directly impacted by the loss of the tapes would be extended a year's worth of free credit monitoring services only braced Christensen to be doubly disappointed.

Lo and behold, he got an email from Marriott over the New Year weekend, affirming that his name, Social Security number and credit card information were not on the lost tapes, and that he'd be receiving an "unaffected owner" letter to that affect shortly. In other words, as far as Marriott was concerned, there was no reason for Christensen--and thousands of other "unaffected" customers--to give the matter another thought.

The problem is, Christensen is most definitely giving it another thought (and so are a lot of other customers, no doubt). In a subsequent E-mail echange I had with him, Christensen made it clear that Marriott's declaration that his data was safe didn't make him feel any better. "My first two thoughts after reading this were, 'Yeah, right' and, 'And I should believe you because...?'" he wrote. "Maybe they're hoping people will just take their word for it and not cause any trouble."

That's certainly how it appears. And even if Marriott really does know definitively whose data was or wasn't on the tapes, and is right that a lot of "unaffected" customers won't cause any trouble, it's still the wrong approach.

I don't mean to be picking on Marriott. Certainly they're not the first company to handle a data breach in this manner, and they won't be the last. But Christensen's response speaks volumes about why companies that are compromised should reach out to all of their customers. It doesn't matter who's data is safe after the fact. What matters is that customer confidence is eroded, and that's what a company in Marriott's situation should be trying to repair above all else.