I previously raved about the Clear service. Last week, they had a laptop stolen (subsequently recovered) and I am distressed over their handling of the situation, and am actively considering terminating the service. Here's the email I sent to Clear in response to their email to customers (belatedly) notifying us of the theft.
You'll forgive me for saying this but I find the attached letter offensive, ignorant and contradictory.
Let me first state I'm very relieved to hear that none of my information was implicated. I'd hate to think it had something to do with the theft. Perhaps you meant to say "compromised"?
Then, get your timeline right. You were going to tell me my data was potentially compromised but before you could notify me, you found the laptop. Of course, before the laptop was recovered, you found time to issue the press release about the loss. In other words, you were more concerned about the impression this might leave to non-customers before you addressed the issue with customers. I find this priority patently offensive.
Then you say none of my personal information was on the computer in any form. If none was there, why are we even having this discussion? Is it "none" or is it "limited"? If "limited," what information was it? Knowing this will enable me to take precautions if I choose not to rely on your assertion that the information wasn't accessed. How can you state this with certainty? Because Windows security is so fool-proof that if someone were to compromise your machine, you certainly would know? That is just a laughable premise. Are you so certain that rather than helping me to restore the integrity of my records, you'll instead indemnify me for any financial losses and compensate me for my time and loss of reputation and impaired function? I thought not.
Frankly your response has me more concerned than I was before I heard from you. I think an appropriate response to this situation would be to offer to those whose confidence in you has been shaken by this incident that you offer a full and complete refund of any and all fees paid to you or at the very least the outstanding portion of the contract. I'm not saying I want to avail myself of that but I am saying my confidence in you has been shaken not by the loss -- that happens -- but by your inadequate safeguards and your offensive response. I am certainly going to explore my options.
Date: Thu, 7 Aug 2008 13:27:05 -0400: firstname.lastname@example.orgSubject: Clear Privacy Update
About your clear account
Dear Jonathan Yarmis,
We take the protection of your privacy extremely seriously at Clear. That's why we announced on Tuesday that a laptop from our office at the San Francisco Airport containing a small part of some applicants' pre-enrollment information (but not Social Security numbers or credit card information) recently went missing. None of your information was in any way implicated. However, we were prepared to send those applicants and members who were affected the appropriate notice on Tuesday detailing that situation.
Before we could send out that notice, the laptop was recovered. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found. Therefore, no unauthorized person has obtained any personal information.
Again, none of your personal information was on the computer in any form, but we nonetheless wanted to give you details of the incident that could have affected others applying for Clear memberships because the incident involves Clear's privacy and security practices and policies.
We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident, and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix - and other security enhancements - to encrypt the data, which is what we should have done all along, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. Meantime, all airport Clear lane operations continue as normal.
Please call us toll-free with any questions at (866) 848-2415. Again, we apologize for the confusion.
Sincerely, Steven BrillClear CEO
P.S. A reminder: One of Clears unique privacy features is that all members and applicants are given an identity theft protection warranty which provides that, in the unlikely event you become a victim of identity theft as a result of any unauthorized dissemination of your private information by - or theft from - Clear or its subcontractors, we will reimburse you for any otherwise unreimbursable monetary costs directly resulting from the identity theft. In addition, Clear will, at its own expense, offer you assistance in restoring the integrity of your financial or other accounts. So had there been any actual compromise of your personal information, you would have been additionally protected.