Remember when “We take your privacy and security very seriously” became de rigueur in breach disclosures? Now there’s other language being frequently added to breach disclosures — language that makes it sound like what the entity is about to tell you is really no huge deal, but if you feel you really need to protect yourself, they’ll tell you what you can do.
Here are just a few recent examples, culled from recent disclosures I read:
The following notice includes information about the event, steps taken since discovering the event, and resources available to help individuals protect against potential misuse of their information, should they feel it is appropriate to do so. — Campbell Conroy & O’Neil law firm, disclosing a ransomware incident.
This notification provides information about the event, PCHC’s response to it, and resources available to individuals to help protect their information, should they feel it necessary to do so. — Peoples Community Health Clinic, disclosing hack of an employee’s email account.
While Unity is unaware of any attempted or actual misuse of information in relation to incident, Unity is providing potentially affected individuals with information about the incident and steps individuals may take to help protect their information should they feel it is necessary to do so. — Unity National Bank, disclosing hack of an employee’s email account
Although Diamond Foods is unaware of any attempted or actual misuse of information in relation to incident, Diamond Foods is providing potentially affected individuals with information about the incident and steps individuals may take to help protect their information should they feel it is necessary to do so. — Diamond Foods LLC, disclosing both a hack of its network and the incidental discovery that an employee’s email account had also been compromised previously
What are you — a wuss if you feel it is necessary to protect yourself?
I really don’t like the inclusion of such language in breach disclosures.