Corporate IT Security Breach Apology Letter Template

While finishing up our final preparations for our upcoming “Online Protection” presentation in Vancouver, we came across this outstanding piece of collateral that we believe many companies will benefit from in 2009: Heartland Payment Systems’ apology letter to its customers after its security was breached (Action 3 News).

Interestingly, Magna Techa blog notes that this was actually the second major payment processer security breach in about a month. Visa got hit first (so you might want to check your credit card statement. Best of luck with that).

Not to rub salt in Heartland’s wound, we felt that CEO Robert O. Carr actually did a pretty good job of crafting a letter explaining the security breach to its customers who may now face the threat of ID theft, and what the company is going to do to prevent this in future.

It’s an excellent template letter for the thousands of companies we expect will go through the same kind of brand-image thrashing that Heartland is experiencing right now.

We’ve reproduced the letter below, with minor changes highlighted in bold to allow CEOs to easily insert their company name and details for the mass media and their (former?) customers. We've done this in a light-hearted spirit, though we should make clear that we really do sympathize with Mr. Carr and his colleagues at Heartland, who clearly never wanted to be in this situation.

There's no doubt that Heartland was already investing enormous resources and energy into protecting their partners and customers when the breach occurred. This incident reminds us that the cyber criminals only need to be successful one time to cause damage. With a lot of effort and some luck, perhaps Heartland will be successful in limiting further exposure to its customers and in improving security overall in future.

Without further ado, here's the apology letter template.

Email Subject: Our Security Is Your Problem :-)
To: Our Customers

On behalf of INSERT YOUR COMPANY NAME, I sincerely regret any inconvenience caused by the data breach that occurred within our processing system during INSERT TIME PERIOD.
understands the concern this breach has generated, and our goal is to transform this event into a positive outcome for the public, and our company.

To that end, we will not rest until we have the answers to how and why this breach occurred so we can prevent any future attacks at INSERT YOUR COMPANY NAME and elsewhere. We are coordinating with the Secret Service and the United States Department of Justice to resolve this issue. I have reached out to other leaders in the payments industry to encourage a new level of information sharing and cooperation that I believe will help thwart criminal hackers in the future.

Our organization and business model was founded on fair dealings, transparency and INSERT YOUR BUSINESS’ UNIQUE PHILOSOPHY. That operating philosophy has been successful for the 12 years we have been in business. Our faith in that philosophy has been sustained over the past few days.

In fact, since our disclosure of the breach on INSERT DATE, more than INSERT NUMBER OF PEOPLE WHO STILL(?) BELIEVE YOU CAN BE TRUSTED WITH THEIR INFORMATION have demonstrated their continued trust in our services by joining as new customers. INSERT YOUR COMPANY NAME is grateful for that trust, and we will do everything possible to uphold our promise of enhanced data security.

In the past several days, we have taken the following forward-looking steps to improve security:
        Created plans and taken actions to expedite the development of end-to-end encryption - which will protect data in motion as well as data at rest - as an enhanced standard of payments security.
        Engaged industry leaders to better coordinate and intensify our fight against cyber criminals.
        Contacted more than 150,000 merchant locations to help them understand this data breach and what we are doing to prevent future incursions.
This past week has been a challenging one for INSERT YOUR COMPANY NAME, cardholders and our customers. We appreciate and value all of you who have stood by us, and we look forward to using the knowledge we have gained from this experience to enhance our security and help others in the industry do so as well.

If you have further questions or concerns, please call our toll-free number at PHONE NUMBER or email us at EMAIL.