How to Plug an Info Leak

When customer data is compromised for any reason, companies -- especially small ones -- need to reassure clients with speed and openness

By David E. Gumpert

I like to see myself as something of an Internet warrior, toughened by many thousands of spam messages offering drugs, pirated software, or easy money. But late last month, I received a curious e-mail from someone I had never heard of, with the subject line, "LexisNexis is revealing your private account information." I wouldn't have even opened it except I had just been on the LexisNexis site earlier that day doing some research.

The e-mail's text truly unnerved me and, in my judgment, provides the seeds of important lessons for the hundreds of thousands of smaller companies conducting business online. "I was attempting to order a news article when about 35 pages of customer information popped up on the screen," the e-mail began. "The information included your address, the last four digits of your credit card, your phone number, the amount of your purchase, etc." Stuck in parenthesis after some of these items, as if in blazing lights, were my correct personal data.


  I immediately sent an urgent note to LexisNexis, including a copy of the e-mail. Two days later, a senior marketing official responded via e-mail that a "customer inadvertently accessed an order receipt log...and reviewed a small number of receipts, including the one you recently placed with us.... In addition, we confirmed that this was the only time this has occurred since the product [LexisNexis AlaCarte] was introduced in November."

I was beginning to breathe easier, until I came to the good part: "The customer who accessed the log could only view your name, address, telephone number, order value, and the last four digits of the credit card."

Only? I'm well aware that anyone can locate most anything about anyone on the Internet, but such info usually isn't broadcast by a vendor I'm paying for services. Apparently, this official was of the nothing-to-worry-about view, as she ended with an apology "for any unnecessary concern this may have caused you."


  This exchange with LexisNexis was the only time I had heard from it about the breach of my privacy -- and remember, the response came at my initiation. Shortly after our exchange, I spotted business media reports in which LexisNexis reported that 30,000 individuals using LexisNexis had at one point experienced security breaches. Then, in mid-April, the number was revised upward by a factor of 10, to 310,000 people. So much for the "small number" LexisNexis wrote me about (see BW Online, 4/15/05, "Personal Data Theft: It's Outrageous").

Just in the last few days, I received a snail-mail letter from LexisNexis' president, apparently distributed to all customers, reiterating that a "very small number of customers" had their IDs and passwords "compromised," and that hackers "did not access customers' search histories." When following up with the company for this column, a LexisNexis spokesperson defended the communication process, saying, "We sent two letters with contact information. We did have a number you could call for more information."

As I said at the outset, this corporate screw-up holds important lessons for small businesses selling products and services online. First and foremost, business owners must appreciate that, a decade after the initial commercialization of the Internet, many Americans remain extremely worried about online-privacy issues, especially as identity theft has soared.


  Because so many small businesses conduct transactions online, they have a lot to lose if the concern becomes so great that Americans demand legislative or legal action. Europe has already enacted strict laws about the handling of personal data, and that could be where the U.S. is heading.

Second, small businesses need to be honest and forthright with their customers when security breaches occur. Most people appreciate the fact that computer glitches occur -- but become uncomfortable when companies try to minimize what is happening, as LexisNexis appeared to do.

Thanks to e-mail, informing customers about problems is invariably easier and less expensive in the online world than, say, getting the word out to consumers who have purchased potentially unsafe food from a grocery. Since trust is such a delicate matter in any event, why shouldn't small businesses do what they can to improve trust rather than destroy it?

Finally, I would suggest that within such seemingly embarrassing problems are the seeds of opportunity. Giving customers the real story suggests an openness that often makes them want to do business with you. Had LexisNexis followed up, letting me know that the problem was bigger than originally anticipated and providing me with complimentary searches as some other customers reportedly received, I would have come away with a much more forgiving attitude. In business, how you handle a messy incident can leave a more lasting impression than the incident itself.

David E. Gumpert is author of Burn Your Business Plan! What Investors Really Want from Entrepreneurs and How to Really Start Your Own Business. Most recently, he's the co-author of Inge: A Girl's Journey Through Nazi Europe

Edited by Rod Kurtz

Before it's here, it's on the Bloomberg Terminal. LEARN MORE