What makes a business apology letter effective? Our team was asked by Network World to comment on the effectiveness of ten apologies issued by the CEOs of several major financial, retail and academic institutions. In each case, an apology letter was sent to customers and clients after the company discovered serious data breaches in their respective information security systems.
In our response to the request we began by explaining that very few business apologies ever meet the 'perfection' standard, while some less-than-perfect apologies work out just fine (as some of these probably did).
We also noted the fine line between a perfect business apology letter and groveling—JetBlue's apology (they've issued many), which we discuss extensively on the site is a great example of getting very close to the perfection mark without going over the line.
We cited the JetBlue apology because, while it isn't a case of an information (IT) security breach, it does provide an excellent set of benchmarks for identifying strong, credible and effective business apology strategies that meet most of the ingredients we emphasize throughout this site.
The initial data provided by Jon Brodkin of Network World came from the Privacy Rights Clearinghouse, news accounts, and the websites of the companies in question.
With these qualifiers in mind, we set out to evaluate the ten business apologies by determining which of the letters issued by these CEOs were the most and least effective. We also highlighted the most common threads and mistakes that companies typically make when writing a business apology letter.
Rather than provide a general assessment of these business apologies based on some idealized standard we decided instead to evaluate each business apology letter in relation to the others. Although some of the errors/mistakes made by these companies were more serious than others it was still possible to evaluate all of them on the same 1-10 scale.
With the exception of a press release issued by ChoicePoint, none of the ten business apologies were very good. Many of the CEOs made the same standard mistake—they passed-the-buck by assigning most of the responsibility to other forces or players, and emphasized 'regret' rather than expressing a sincere and credible apology for their company's failure to meet their customers' reasonable security needs and expectations.
None of the business apologies acknowledged any real responsibility for the loss of security, and none (except for one) offered ANY reasonable compensation.
While compensation options may not be terribly obvious for many of the companies, an offer to at least consider some form of restitution is always available and should be a key ingredient of any standard business apology letter.
Also, very few of these business apologies explained in any detail what the company was prepared to do to prevent a re-occurrence.
Finally, the most serious yet common impediment to an effective business apology letter (illustrated through these ten examples) is the often exaggerated concern CEOs (and their lawyers) have about litigation. This may explain the uniformly very low scores.
The maximum score that we gave was 7/10 and the minimum was a -3. Yes, that is a negative three—the recipient is Boeing President and CEO Jim McNerney for an apology email he sent to his employees after a laptop containing sensitive and personal data of current and former employees was stolen.
There is much to learn from seeing how 10 different organizations handle a similar issue. As you will see from our reviews, these CEOs were either ill-prepared, received poor advice, or just didn't care.