Opinion: After a privacy breach, how should you break the news?

Computerworld - Following recent data debacles at ChoicePoint, LexisNexis, Bank of America and other places, more and more people are receiving the dreaded news that their personal information is at risk because of a privacy breach. Based on a recent study conducted by Ponemon Institute, we can provide some insight on what customers' expectations are when they receive notification.
For the past three years, our institute has focused on consumers' perceptions of the trustworthiness of organizations they regularly interact with. And we believe it is a major threat to the goodwill and trust an organization has established with its customers, employees and contractors if it can't allay the fears of those victimized by a data breach.
Notification is already required in certain states, starting with California law SB 1386, which went into effect over a year ago. Federal law may require such notification in the future.
In our study of privacy breach notification, we surveyed more than 400 adults in the U.S. who have received notification that their sensitive personal data was missing or acquired by unauthorized parties. These incidents were either the result of an innocent mistake such as losing backup files or actions by a malicious employee or outsider.
A majority (more than 60%) of those notified live in states that have a breach notification law -- mostly California. More than 54% of the breach notifications were from companies in the financial services industry, and most of the consumers held active bank or credit card accounts with the organization reporting the incident.
More than 25% were notified by both telephone and written communication, including e-mail. Thirty-one percent were notified by telephone only, and the remaining 44% were contacted by written communication only. More than two-thirds of the notices were received more than 45 days after the supposed incident.
We learned that about one-third of subjects believed that the notification was truthful. Another 41% believed that the notice they received failed to communicate all the facts. The remaining 26% were unsure about the integrity or honesty of the message being conveyed.
Among consumers who believed that the notification was not truthful, almost 86% said they planned to churn and take their business elsewhere. Among those who believed that the notification was truthful, a smaller percentage -- 42% -- planned to churn.
Over 82% of respondents expected the organizations to do more to assist them. The remaining 18% of individuals were satisfied with the organization's responsiveness to the problem.
The No. 1 fear concerning the breach was identity theft. No. 2 was