David E. Gumpert, in Business Week Online, recounts his experience with LexisNexis after his personal information was compromised (unrelated to the massive breach otherwise reported on). After the company repeatedly trivialized the incident, he offers some suggestions to companies who are dealing with issues like this:
How to Plug an Info Leak:
"... HONESTY COUNTS. Because so many small businesses conduct transactions online, they have a lot to lose if the concern becomes so great that Americans demand legislative or legal action. Europe has already enacted strict laws about the handling of personal data, and that could be where the U.S. is heading.
Second, small businesses need to be honest and forthright with their customers when security breaches occur. Most people appreciate the fact that computer glitches occur -- but become uncomfortable when companies try to minimize what is happening, as LexisNexis appeared to do.
Thanks to e-mail, informing customers about problems is invariably easier and less expensive in the online world than, say, getting the word out to consumers who have purchased potentially unsafe food from a grocery. Since trust is such a delicate matter in any event, why shouldn't small businesses do what they can to improve trust rather than destroy it?
Finally, I would suggest that within such seemingly embarrassing problems are the seeds of opportunity. Giving customers the real story suggests an openness that often makes them want to do business with you. Had LexisNexis followed up, letting me know that the problem was bigger than originally anticipated and providing me with complimentary searches as some other customers reportedly received, I would have come away with a much more forgiving attitude. In business, how you handle a messy incident can leave a more lasting impression than the incident itself."
In this day and age, these sorts of issues are the most important for an online business. All you have is your repuation and the trust of your customers. Don't apologize for any "unnecessary concern this incident may have caused" your customer. That's simply not going to reassure them and will likely make them mad. If a sensible customer is concerned, take it seriously. If you messed up, fix it and apologize. Most of the time, that'll do the trick. Covering it up, minimising the issue, "spinning it" or getting defensive will do the opposite. (For more on how to deal with incidents like this, see PIPEDA and Canadian Privacy Law: Two magic words, big effects ....)
Thanks to Techdirt for the link.