A couple of days ago, hackers stole data (customers’ names and e-mails) from Epsilon, a company that manages e-mail marketing campaigns for some of the nation’s biggest retailers. (Read the WSJ article “Breach Brings Scrutiny.”) I must be a downstream customer of Epsilon’s because within a day of the breach I had received explanation e-mails from Marriott, Target, and Hilton. (Scroll to the bottom to read the three e-mails.) Overall, Marriott’s was the least effective. After a close read of these three samples, I’ve come up with some advice.

Four tips for writing e-mail that explains a security breach …  or other bad news

1. Write a clear subject line. Target and Hilton used the same subject line: Important message from [Target, Hilton HHonors]. Marriott used Important Notice from Marriott International, Inc. These subject lines are truly inadequate and likely to get lost in my inbox. And they do nothing to offset the torrent of phone calls each company’s contact center must have received from nervous customers. Even Explanation of Recent Security Breach would have been a better subject line.
2. Use a specific greeting. Marriott got this right. But Target addressed me as a valued guest. I have never understood this euphemism for customer. Yes, one treats guests nicely, but one doesn’t usually try to sell them things or protect their e-mail addresses. And Hilton’s Dear Customergreeting is just blah. It’s anonymous.

    

3. Explain what the customer should do. Marriott’s advice is weak: continue to be on alert. Marriott does nothing to help customers gauge the severity of the breach or to take steps to protect themselves. In contrast, Target and Hilton give bulleted, specific instructions.

    

4. Sign the e-mail. When your customers become concerned about their personal data, it’s time to bring in the big guns. Marriott blundered again. Their e-mail isn’t even “signed” with a person’s title, such as Marketing Director or Customer Service Manager. Hilton’s and Target’s VPs took personal responsibility in their company’s e-mails.

On a related topic, Epsilon’s news release on the breach — “Epsilon Notifies Clients of Unauthorized Entry into Email System” — is pure blunder. The worst thing a company can do when something bad has happened is use language that hides ownership. Plain language is a must. If ever Epsilon should have chosen active voice, this would be the time. But Epsilon’s news release is full of the company’s hysteria-induced use of passive voice: “On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.” Who detected? Who exposed?

********************************************************

Marriott’s E-Mail

Dear Marriott Customer,

We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.

We take your privacy very seriously. Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.

Please visit our FAQ to learn more.

Sincerely,

Marriott International, Inc.

********************************************************

Target’s E-Mail

To our valued guests,

Target’s email service provider, Epsilon, recently informed us that their data system was exposed to unauthorized entry. As a result, your email address may have been accessed by an unauthorized party. Epsilon took immediate action to close the vulnerability and notified law enforcement.

While no personally identifiable information, such as names and credit card information, was involved, we felt it was important to let you know that your email may have been compromised. Target would never ask for personal or financial information through email.

Consider these tips to help protect your personal information online:

• Don’t provide sensitive information through email. Regular email is not a secure method to transmit personal information.
• Don’t provide sensitive information outside of a secure website. Legitimate companies will not attempt to collect personal information outside a secure website. If you are concerned, contact the organization represented in the email. 
• Don’t open emails from senders you don’t know.

We sincerely regret that this incident occurred. Target takes information protection very seriously and will continue to work to ensure that all appropriate measures are taken to protect personal information. Please contact Guest.Relations@target.com should you have any additional questions.

Sincerely,

Bonnie Gross
Vice President, Marketing and Guest Engagement

********************************************************

Hilton’s E-Mail

Dear Customer:

We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:

• Do not open e-mails from senders you do not know
• Do not share personal information via e-mail

Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of “phishing” e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at fraud_alert@hilton.com.

As always, we greatly value your business and loyalty, and take this matter very seriously. Data privacy is a critical focus for us, and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access.

Sincerely,

Jeffrey Diskin
Senior Vice President, Customer Marketing
Hilton Worldwide

********************************************************