Never Apologize, Never Explain

When it comes to a privacy breach, what's the best policy -- contrite or circumspect? Two incidents showcase different approaches.First, there's Mark Zuckerberg's act of contrition over the mess he made with a new collaboration/advertising feature in his social networking site, Facebook. The feature, called Beacon, shared online activity data among Facebook friends -- more data than users were prepared to accept, apparently, because howls of protest were heard not long after Beacon was introduced. Zuckerberg and crew were forced to retool the feature's opt-out capability. "We simply did a bad job with this release, and I apologize for it," Zuckerberg said in a long blog post on the site that explained the genesis of the Beacon project and what went wrong. "I'm not proud of the way we've handled this situation and I know we can do better," he said.

I couldn't help but compare that with another privacy-related news story this week about TJX, the discount retailer that suffered a massive customer data breach that lasted more than a couple of years and which came to light earlier this year. TJX, which owns TJ Maxx, Marshalls, and other stores, has been fairly circumspect in what it has said about the security problem.

In its first press release on the breach, dated Jan. 17, Ben Cammarata, chairman and acting chief executive officer of TJX Companies, said this: "We are deeply concerned about this event and the difficulties it may cause our customers."

There was a follow-up statement from the company, in the form of a press release on Feb. 21. In it, newly appointed president and CEO Carol Meyrowitz commented, "Let me begin by telling our customers personally how much I regret any problems or inconvenience they may have experienced as a result of the unauthorized intrusion into our computer system."

In a press release on Sept. 21 announcing its settlement offer related to the numerous customer class-action lawsuits against the company, Meyrowitz said, "We deeply regret any inconvenience our customers may have experienced as a result of the criminal attack on our computer system." Then she added this: "Importantly, we truly appreciate our customers' continued patronage."

Amen to that, brother. TJX's financial performance hasn't suffered, despite the bad publicity the company has received over the last 11 months. In fact, quite the opposite: net sales for its fiscal third quarter, ended Oct. 31, increased 6% to $4.7 billion, according to the company.

This week TJX announced a settlement proposal with Visa USA to compensate the banks that issued the credit cards that were compromised in the data hack. In a news story by my colleague Tim Wilson, one security expert points out that TJX hasn't done the one thing that interested parties and the consumer public at large would benefit most from -- explain exactly what happened.

I don't anticipate that Facebook will suffer greatly in the long run from its privacy, uh, loss of face. But based on TJX's bullish financial performance, when it comes to privacy problems I think we can anticipate more circumspection and less contrition.