If you’ve heard me speak, you know I give a quick example (a diatribe, really) about how the new three little words strikes fear into everyone’s hearts. Those words?
“On the Web“.
I mean pictures, videos, messages of, and about you, on the web. Scary? You bet!
For the record, the old TLW used to be “I love you”. :P
All that said, here’s some new scary words for you .. far more than three words, though. This came in last week via USPS:
We are writing to let you know that computer tapes containing some of your personal information were lost while being transported to an off-site storage facility by our archive services vendor.
Now, that’s scary. Let’s discuss:
- They’re trying to avoid fault by stating “by our archive services vendor“.
- They’re creating fear by stating “your personal information“, with all the issues surrounding identity theft.
- They’re assuring us they have remote backups (John and Jane may not get this, but I do), which is usually a good thing.
While we have no reason to believe that this information has been accessed or used inappropriately, we deeply regret that this incident occurred and we wanted to explain the precautionary steps we have taken to help protect you.
- “.. we have no reason to believe that this information has been accessed or used inappropriately”: Optimistic, at best. How do they know if they can’t find the tapes? Are the tapes in their possession now, or are they still missing? If recovered, can they tell if the tapes were read or restored to a system?
- “We deeply regret“: Wow. An apology (sort of).
- “.. explain the precautionary steps we have taken ..“: Sorry kids, but precautionary means you planned something in advance, not reacting (as you are) to a situation you (oh, sorry .. your vendor) created.
Then comes some background into the kind of information that was lost; in this case, stockholder information for publicly-traded companies. They didn’t specify which companies, however, I’ve only worked for one publicly-traded company, and that was Microsoft.
Next (this was in bold, by the way):
Please note that while the timing of this notice was affected by our forensic investigation into the nature and scope of this incident, based on information received to date, we have no reason to believe your information has been or will be improperly accessed or misused as a result of this incident.
This is fun now:
- “.. timing of this notice was affected by our forensic investigation ..“: what the Hell does this mean? Did they anticipate the data loss and are sending this in advance, or did they want to get the notice into the mail as soon as they discovered the loss? In the finance world, “forensic” typically means the analysis of statements, and logs, cross-referencing them against the universe of facts, like date, time, location, who benefited, etc.
- “.. we have no reason to believe ..“: Folks: they have no idea. Not sure why they want to say this again (especially in bold).
- “.. as a result of this incident ..”: “This” incident? There are others? Gawd.
“Unbreakable” is a great film in which Samuel L. Jackson plays a physically-challenged cynic. He tells Bruce Willis that when someone has an offer that’s too good to be true it will follow with an ask for a credit card number.
Surprise, surprise. No free lunch, in other words.
Back to my letter. This vendor (yes; it’s from a vendor) doesn’t ask for a CC number .. in fact, they offer a two-year subscription to their usually-for-pay, identity-theft-protection and credit-notification service as a means to repay for their mishandling of my records.
This suddenly raised the question with me: Was my data ever actually lost, or is this just a come-on for their service? I’m a pragmatist, not a cynic .. but I can’t help to think something could be fishy here.
Further, what if their Terms of Service (which, nobody reads anyway) includes an indemnity clause that prevents further action against them if I accept the service. This was one ToS I read very, very carefully. Candidly: the cynic in me was (almost) disappointed that it didn’t. Would have made for a far more interesting post.
Did I sign up? Yes. I did sign up for the free service. Why? Well:
- It was offered with no risk (they didn’t ask me for a credit card number).
- It seems quite comprehensive (i.e., all credit agencies and credit-related actions).
- It’s quite interactive, including alerts for changes to my credit rating, including inquiries, “potentially negative” events (I had to report a CC lost this past week, and the service notified me).
I’ll let you know how it goes.
Original Post: September 28, 2008