I’ve been getting a lot of urgent messages from major companies I do business with lately. Urgent messages telling me that information I gave them has been stolen by unknown parties.
Yup, I’m not only a PlayStation Network member–and therefore a victim of the current Sony security breach–but also a customer of at least three companies (Marriott, TiVo, and 1-800-Flowers) who were involved in the recent data theft from marketing company Epsilon. I wrote about this for my new TIME.com Technologizer column, But after reading all this correspondence, I have some advice for the corporate entities who send these e-mails. (I care about this stuff in part because I have the uneasy feeling I’m going to be getting a lot more of these messages in the future.)
1. Put it in the subject line. No, the subject line doesn’t need to be “YOUR DATA WAS STOOOOOLEN!!!!!!” But something like “Important Information for 1800Flowers.com Email Customers” is too vague, especially since I’m used to big companies claiming that everything they want to tell me is important. (And what the heck is an “email customer,” anyhow?)
2. Tell me what leaked, what may have leaked, and what didn’t leak. Sony, TiVo, and 1-800-Flowers were all pretty clear about what information was at risk. Marriott’s message, however, was vague about what was stolen–in this case, my name and e-mail address–which could leave me jumping to unwarranted conclusions.
3. Be calm, but not dismissive. Marriott’s e-mail about the Epsilon breach told me “In all likelihood, this will not impact you.” That may be true, but it contacted me because there’s a chance that it might impact me. I don’t want companies to fearmonger, but they should address worst-case scenarios.
4. Tell me how to contact you. You’re the guys who I trusted with my info; if I still have questions after reading your e-mail, I should be able to ask them. Of you, not of some third-party consumer agency. (Credit where credit is due: Sony ended its PlayStation e-mail with a phone number to call.)
5. Don’t tell me you take my privacy seriously or remind me how valued I am. I’m sure you do. I’m sure I am. This isn’t the right time to tell me, though.
6. Apologize. I know that it’s not your fault there are cybercriminals and other nogoodniks out there. I understand that some third-party company may have suffered the breach. But you’re the ones I gave my information to. Something bad happened. You’re the one I expect an apology from.
7. Sign your letter. I mean with the name of a human being with a title–somebody’s willing to take responsibility for this, right? Of the companies I’ve recently heard from, only 1-800-FLOWERS did this.