Don't Do As TD Ameritrade Does -- And Don't Do As They Say, Either

The security breach that let spammers get hold of as many as 6.3 million TD Ameritrade customer names, phone numbers and e-mail addresses is being spun as a "Well, they didn't get Social Security numbers, account numbers, PINs or other confidential info; still we apologize for any inconvenience or annoyance," sort of problem. Mistake. Big mistake.Company response to the TD Ameritrade hack -- which bears a certain resemblance to the recent Monster.com fiasco -- is starting to look like a textbook case of what not to say when company data of any sort gets compromised.

Take a look, for example, at this statement from Joe Moglia, TD Ameritrade's CEO:

"While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security numbers were taken, we understand that this issue has increased unwanted SPAM, which is annoying and inconvenient for them. We sincerely apologize for that and any added concern this may have caused."

Who wrote that statement? Is no one looking out for Mr. Moglia's crisis-management demeanor and the message he's sending to customers and the press? Evidently not. To wit:

"... while there is no evidence that our clients' Social Security numbers were taken..."

Which sends the message, not deliberately, I'm sure, that there's also no evidence yet that SS numbers were not taken. That's surely not what Mr. Moglia intended to say, and it's just as surely not the message he -- or his Mar/Com handlers -- intended to send, but there it is.

Onward:

"We understand that this issue has increased unwanted SPAM, which is annoying and inconvenient for them."

It's more than that -- as the compromised names and numbers get shared and spread, and re-shared and more widely spread, every bit of junkmail will remind the recipient that their address got grabbed from a compromised TD Ameritrade database. That's more than an annoyance, and lot more than an inconvenience, and Mr. Moglia should have acknowledged that.

This from Mr. Moglia's statement, strikes me as putting bad icing on a bad cake:

"This issue is not unique to TD AMERITRADE. It's something that all companies involved in e-commerce should be aware of and prepared to address. We participate in industry peer groups to share information on these types of threats in the interest of protecting all clients."

Which tells clients only that a) we're not the only ones not doing a good enough job of keeping our databases safe, and b) the information being shared among the peers isn't good enough, deep enough, effective enough.

Note: I'm not saying that Mr. Moglia is wrong in what he's saying, only that the way he's saying it is wide open to misinterpretation by already "annoyed and inconvenienced" (and then some!) customers.

His video statement also includes this next comment, which has the advantage of being both accurate and true, but again doesn't seem to me to go far enough for a CEO whose company has been compromised:

"This is an issue for global e-commerce that will be with us for the rest of our lives."

As stated, it's hard to argue with -- but from a business perspective it would have been far more effective for Mr. Moglia to make a commitment right there, pledging a certain percentage of company revenue or profits or whatever to taking the lead in coordinating and invigorating the levels of information shared among participating "industry peer groups."

Couple of final points.

As I write this late in the afternoon, EST, TD Ameritrade's welcome page includes a soft yellow notice bar "regarding the recently reported SPAM investigations" and is otherwise business as usual, including the an unfortunate (in present circumstances) We Promise Protection section.

Worse, when you follow the link to the SPAM investigations page, you get a page that is anything but assertive in putting information about the compromised data upfront and accessible. Scroll past the "Helping independent minded investors be successful" sel--copy and you'll eventually find a Special Client Announcement section beneath which the compromise is covered through press releases, video statements and so on.

Look: Joe Moglia is absolutely right about the nature of this problem -- it will be with us forever. And I'm just as sure that his comments and his company's damage-control materials were put together carefully and thoughtfully.

Too carefully and too thoughtfully, I think. In the event of a breach, your customers and clients are going to be mad as hell, and they had better know that, on their behalf and on behalf of your company, you are, too.

If your company network and customer/client information gets hacked or compromised, you have got to be more aggressive -- much more aggressive, I think -- in confronting an issue which will, fairly or unfairly, be perceived as a failure of your business's security procedures and technology.

Your communications with your clients and customers, and with the wider public and press through your statements and Web site had better send the message that you are as "annoyed" by the situation as they are -- otherwise you're going to have a bunch of "annoyed and inconvenienced" customers getting angrier by the moment at your spin, and spinning themselves and their business away from your company to somebody else's.