The terrible, horrible, no good, very bad email

Yesterday I received a terrible email. Terrible both because it delivered bad news and because it was badly constructed and ultimately ineffective.

I already posted a twitter thread about it, but I’m going to go into more detail here (and also proofread better – I really wish twitter would let us edit tweets!).

Email subject lines – what not to do

The subject line of this email was “Starwood Guest Reservation Database Security Incident.” This is a terrible subject line. For one thing, I very nearly deleted it because I regularly get promotional emails with the words Starwood Guest in the subject line. But as I went to delete it, my eye caught the word security, and I remembered I’d heard something about a Marriott data breach.

Front-load your subject lines

Email subject lines need to be front-loaded because users view emails in all kinds of different contexts that can shorten how much of the subject line they actually see when choosing whether to open the message. The purpose of the subject line, for any email, is to get the recipient to open it. Marketing emails often do this through some form of click bait, but emails with information that readers genuinely need to know must demonstrate relevance to get people to open them. 

In this case, the most important words are “security incident,” although even those are somewhat coded and abstract. But I’ll get to how I would have written the subject later.

Avoid noun strings

This email subject line is also a noun string, which I’ve already written about. The problem with noun strings is they’re ambiguous: it’s not clear how all the nouns relate to each other. They place cognitive load on the reader to unpack the relationships. Any time you put cognitive load on readers, who are already busy and stressed even if they have incredible literacy (which is not a reasonable assumption for the general public), you risk your message being lost. Never mind that readers might get the message wrong.

To unpack noun strings, you usually have to start from the end and work backwards, adding connecting words as you go. You could unpack this noun string as “security incident involving reservations of Starwood guests” — but I can’t be sure because it’s a noun string!

Avoid bureaucratic language and jargon

This advice applies to all content for a non-specialized audience, not just email subject lines. But this subject line is rife with internal language. In a situation where you’re delivering bad news to your clients, you need to use real, concrete language to demonstrate care and a willingness to take responsibility. It shows you’re not trying to hide or bury anything. This subject line fails spectacularly in that.

A better subject line

There are a million different ways to write a better subject line for this email – there’s no single right way. Without spending too much time and without internal knowledge of the company and details of the breach, if I had written the subject line, I would probably write something like this:

Your data is at risk

By using the word “your,” it literally puts the client or recipient first and tells them what’s up without being overly alarming. The subject is clear, concise and straightforward. Putting “your data” first front-loads the message, and the words are short enough that “risk” should show up in most contexts. The two power positions for words are at the start of a line or sentence and at the end. In this case, readers can pick up the key words, your data and risk, with a single glance.

The body of the email – what not to do

Again, this email is a study in precisely what not to do. The email contains 3,000 words! The first section, which summarizes what happened and the steps Marriott is taking to deal with the situation, is nearly 700 words. That is way too long. This section is “signed” by a person with no accompanying title, so I have no idea who they are or why I should care that they’re signing the email. Presumably they’re the CEO? But who cares?

Sometimes it’s just not about you as an organization

The message is entirely focused on the organization, and not on the client whose data has been hacked. It starts with “Marriott values our guests and understands the importance of protecting your personal information.”  and continues in that vein for the whole message. Literally eight out of ten paragraphs start with the word Marriott.

Frankly, I don’t give a fig newton what the company values or what they’re doing. I care about the impact on me. What does this mean for me and what do I do now? It is a pretty common practice to restate your organizational values, but save that for after you’ve given the important information for the user.

After the “signed” message there’s a bulleted list of “additional steps you can take regardless of where you reside.” (What does it matter where I live? I have no idea. From the content, it might have something to do with laws and who to contact to report fraud?)

Answering my burning question of what do I need to do now that Marriott lost my data is clearly a lower priority for Marriott than talking about how awesome they are. Here’s the list:

• Monitor your SPG account for any suspicious activity.
• Change your password regularly.
• Do not use easily guessed passwords.
• Do not use the same passwords for multiple accounts.
• Review your payment card account statements for unauthorized activity and immediately report unauthorized activity to the bank that issued your card.
• Be vigilant against third parties attempting to gather information by deception (commonly known as “phishing”), including through links to fake websites. Marriott will not ask you to provide your password by phone or email.
• If you believe you are the victim of identity theft or your personal data has been misused, you should immediately contact your national data protection authority or local law enforcement.

To be honest, I still don’t understand what this breach means for me. Was my credit card information stolen? The message tells me it could have been, but surely they could find out specifically whose payment details were stolen? And isn’t the list above just a bunch of general best practices? What would cause me to believe I’m the victim of identity theft? How would I know?

The next 2,000+ words are broken down by geographic area, starting with the United States, then getting into some specific states, then Europe. I *think* some of the content buried in the middle of this section could possibly apply to more than the area it comes under, but I can’t be sure, because it’s unclear.

I am in Canada, and I know for sure they know that – they have my address! (It was likely stolen!). But there is precisely zero information for Canadians. All the content for people in the US and Europe just makes me more aware of how there’s no information for me. 

Address separate audiences separately

If you are sending an email to clients in different geographic areas, and different areas need different content, create separate emails for them! Never force your clients to wade through content that doesn’t apply to them. It’s just mean, and it does your brand zero favours.

Throughout my career, I’ve often been told to, “keep it simple.” But simple for who?

I think complexity is like energy – it cannot be created nor destroyed. You can only move it around. So if you make decisions that keep something simple for you to implement, you’re likely passing complexity onto your external audiences. I will always advocate for taking that complexity on internally to make it simple for users.

In this case, to make it simple for its readers, Marriott would have had to create multiple email templates:

• one for people in each state mentioned in the content
• one for people in the other US states
• one for each European country mentioned
• one for people in countries not already mentioned (cough Canada cough) — plus what about all of Asia, Africa, Australia  and South America?

But that’s only based on the content I see. When you have different content that applies differently for different people, you need to sort through all the content to determine:

• what content is common to everyone (we lost your data)
• what content applies to which audiences (what you need to do now)

Once you have that figured out, you can decide whether you actually need to get into the level of detail for the specific audience content. Maybe you only need the general content. In these situations, I often create the content for 80% of the audience and give enough information for the 20% exceptions to identify that they’re an exception, and then I direct them somewhere else for more details. In this case, maybe Marriott could set up a web page for most of their information – and it could even be interactive, so it sees what country or state you’re in and displays only the content for that area.

I have to say that with a brand as big as Marriott, I’m surprised they don’t have people who think this way. Or maybe they do, but they either weren’t consulted in the creation of this email, or they were ignored. Either way, it’s a clear example of a terrible, horrible, no good, very bad user experience.