An Inconvenient Theft of Personal Information

About a week ago I got a letter from an online retailer telling me that their computers had been hacked and some of my personal information had possibly been stolen. Gut reaction: how nice of them to let me know. Reaction after finishing the letter: gee, I wish they would have told me something.

Don’t get me wrong – I really appreciate that they let me know my information may have been stolen, but could they have been a little more explicit with the details?

page 1

After reading this, all I know is that a theft occurred. I know no details of what information of mine may be gone. What did I have stored on the site? A credit card number? Address? You see, OESD is a small company that sells digital patterns for embroidery sewing machines. I used to buy patterns from them for my mom, but I haven’t done that in what seems a couple years. So I don’t really remember what information I gave them. Did I store a credit card number, or just type it in every time? And, what credit card was it? I changed my number six months ago, and don’t really know if the number they have is the old or the new.

Ok, so it’s a form letter. They didn’t take the time to have the system print some more specific information for each recipient (though that wouldn’t have been very hard, given the system is already printing specific addresses). I’ll cut them a little bit of slack.

But I’m an English prof. Specifically, a Tech Writing prof who teaches students how to write letters just like this. And given that I notice a few more things.

One, they regret “any inconvenience this data theft may cause [me]” – inconvenience? Really? That’s the word you chose to use? Yes, it’s definitely an inconvenience that somebody out there may be charging on my credit card. And, since I don’t know exactly how much information was stolen, it’ll be really inconvenient if the thieves open more cards in my name and I’ve got to fight identity theft there.

page 2

Two, they don’t really offer to have me contact them for information. OESD goes to great lengths to give me contact info for the various governmental bodies that are forcing them to send this letter. But the only offer for me to contact them directly comes in the very last sentence: “If you have any questions or concerns, please call [a number].” That’s what I would put on a letter announcing a new sale. Not what I would put on a letter telling people financial information has been hacked. They could at least tell me who I’m calling. Is it a special hotline, or just the receptionist.

Three, they don’t tell me what they’re doing to get my information back or to “catch the bad guys.” They completed an internal investigation to find the source of the attack. The results: they think they have an idea of what might have happened. And they promise me that it won’t happen again. I can only assume that they’ve done all they’re going to do.

Four, this happened on Feb 3rd! That is, this happened three months ago. Any danger to my credit rating, any danger of identity theft is already gone. The people who took this information wouldn’t sit on it for months on end waiting for me to find out the information is compromised. OESD either just found out about this, which shows bad monitoring of their system. Or they waited for the investigation to conclude, which shows serious disrespect for me, the consumer.

What this hits me as is a form letter they were forced to send by the FTC. They have no real idea what happened and they have no idea how to figure out what happened. Will I be updated in the future? Since they don’t say so, my guess is no.

Lesson for Technical Writers
When you’re writing to tell someone of a catastrophic event (this counts, though it’s a mild one), be specific, detailed, and future oriented. A generic letter void of any real information just leaves the recipient angry and bitter. And it destroys all confidence in the writer. If the reader thinks the only reason you’re writing is because the big bad government said you had to, well, he’s got to wonder if you’d have even spoken up otherwise.

As for my relationship with OESD? They just lost a customer.