The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, May 07, 2005
David E. Gumpert, in Business Week Online, recounts his experience with LexisNexis after his personal information was compromised (unrelated to the massive breach otherwise reported on). After the company repeatedly trivialized the incident, he offers some suggestions to companies who are dealing with issues like this:
How to Plug an Info Leak:"... HONESTY COUNTS. Because so many small businesses conduct transactions online, they have a lot to lose if the concern becomes so great that Americans demand legislative or legal action. Europe has already enacted strict laws about the handling of personal data, and that could be where the U.S. is heading.
Second, small businesses need to be honest and forthright with their customers when security breaches occur. Most people appreciate the fact that computer glitches occur -- but become uncomfortable when companies try to minimize what is happening, as LexisNexis appeared to do.
Thanks to e-mail, informing customers about problems is invariably easier and less expensive in the online world than, say, getting the word out to consumers who have purchased potentially unsafe food from a grocery. Since trust is such a delicate matter in any event, why shouldn't small businesses do what they can to improve trust rather than destroy it?
Finally, I would suggest that within such seemingly embarrassing problems are the seeds of opportunity. Giving customers the real story suggests an openness that often makes them want to do business with you. Had LexisNexis followed up, letting me know that the problem was bigger than originally anticipated and providing me with complimentary searches as some other customers reportedly received, I would have come away with a much more forgiving attitude. In business, how you handle a messy incident can leave a more lasting impression than the incident itself."
In this day and age, these sorts of issues are the most important for an online business. All you have is your repuation and the trust of your customers. Don't apologize for any "unnecessary concern this incident may have caused" your customer. That's simply not going to reassure them and will likely make them mad. If a sensible customer is concerned, take it seriously. If you messed up, fix it and apologize. Most of the time, that'll do the trick. Covering it up, minimising the issue, "spinning it" or getting defensive will do the opposite. (For more on how to deal with incidents like this, see PIPEDA and Canadian Privacy Law: Two magic words, big effects ....)
Thanks to Techdirt for the link.
Labels: information breaches, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.