Sep
22
Oops.
PERHAPS YOU HEARD: Equifax was hacked on September 7.
There are some who would reassure us by pointing out that 143 million accounts is less than half the number of MySpace accounts and less than one-third the number of Yahoo accounts that were hacked.
I have two reactions.
My first reaction is that would-be reassurers could do with a lesson in false equivalency. Greater numbers don’t necessarily make lesser ones okay; there were more hacked accounts than there are American households, so you should assume your data is compromised; and names, addresses, SSNs, credit card numbers, and driver’s license numbers are a good deal more than what bad guys typically obtain from social media accounts.
My second reaction is, MySpace is still around?
For financial institutions, the breach can be a bad thing with a silver lining. I can sum up the bad-thing part with three words: “Shaken consumer confidence.” The silver-lining part comes in the form of a marketing opportunity. Clients like being leveled with. They like information. And they like being empowered to keep themselves safe. Supplying useful information will do all of the above. Better still if your competitors remain silent, which I bet most will, for you will brand yourselves as the confident, trustworthy ones, the people with nothing to hide.
In short, the foolish thing to do in the wake of the Equifax breach is to be silent and hope clients didn’t hear about it. Trust me, they heard. The smart thing to do is to provide prompt, thorough information about what the breach entailed, how it happened, how clients can check for free to see if they have been compromised, and, most important, what they can do right now to protect themselves. (This piece from USA Today can provide you a good starting point.) If you have generous policies that protect clients, this is a great time to reiterate them. You should do so even if competitors offer similar protections, since your clients may not know they do.
This is not the time to send out impenetrable copy. I apologize if that came across as tactless. Here, let me try it again, this time with more tact:
FOR HEAVEN’S SAKE, DON’T LET ATTORNEYS OR COMPLIANCE WRITE THE DARNED THING.
Of course you have little choice but to let them review it—you would be unwise not to—but don’t let them rewrite or edit. Ask them to explain their concerns until you understand them well enough to repeat them back in plain, real-person English. You know you’re good to go when they roll their eyes and say, “Yes, that’s correct, but it doesn’t sound very professional.” Then put your best copywriter on it. Time’s a-wasting.