BrainTrust Query: Data Protection Standards Changing for Retailers & Database Marketers
Through a special arrangement, presented here for discussion is a summary of a current article from the Hanifin Loyalty blog.
What do Citi, Sony, Michael’s, Epsilon and four leading Australian banks have in common?
The answer is globalization — of consumer data intrusion, that is.
I’ve maintained a theory that data security will be the next differentiating field of play, not just for loyalty marketing, but for the broader database marketing industry. The steady stream of data breach announcements that we’ve seen during 2011 validates the growing problem.
I read this statement in an article this week on Supermarket News discussing lessons learned from a 2007 intrusion at Hannaford Bros.: "Compliance with the five-year-old Payment Card Industry (PCI) Data Security Standard — Hannaford was PCI-compliant — proved not a sufficient defense against malware that could pilfer moving card data."
If PCI isn’t enough, what is?
To get the answers, I sought out the opinions of a seasoned practitioner fighting cyber crime, Alan Heyman, managing director of Cyber Security Auditors & Administrators LLC.
Alan exploded one myth that I had believed about data breaches — that hackers might one day sweep money on large scale from a portfolio of checking or savings accounts at a bank.
"It won’t happen that way," he shared. "The hackers prefer to creep in and instigate small charges that can be perpetuated for a sustainable time without sounding the alarms of the corporate watchdogs."
While such direct fraud damage may be significant enough, a host of indirect costs can further devastate a breached firm. Alan told me that "the costs are an aggregate of IT hardware remediation and repair, legal fees and customer notification, and do not include fines and longer term remediation."
But the risk to brands is hard to quantify. How do you put a price on loss of customer loyalty, goodwill and trust? The cost of class action suits, fines from state authorities and customer notification is more easily projected, but think about large scale loss of customers who say, "I’m not going to shop there anymore or, "I’m not going to use my debit card anymore" and the threat comes into full perspective.
Alan validated the Supermarket News statement in my interview, saying that "organizations must work ahead of the game to establish a defensible security position" and that "PCI is not enough anymore, firms must create and maintain a Written Information Security Plan (WISP) to place themselves in an accountable and defensible position, should a breach occur."
The game has changed again, and all marketers who collect, manage and maintain consumer data should be re-orienting their view towards security "standards." I just scratched the surface in my conversation with Alan. We all need to go deeper. Your brand affinity and customer trust may just depend on it.
Discussion Questions
Discussion Question: Do retailers need to go beyond PCI standards for themselves and vendors? Would a Written Information Security Plan (WISP) provide a sufficiently “defensible position”?
If they want to maintain consumers’ trust, retailers must go beyond PCI standards to protect data. This is an ongoing game of cat and mouse, with hackers and security companies doing daily battle. Adhering to yesterday’s standards is not good enough.
PCI was never going to be enough. You can’t have a “permanent” standard in an ever-shifting and changing world of technology. Plus, it had nothing to do with customer information, only payment information.
However, there is no evidence in the US that customers are particularly upset by data breaches. TJX’s comps continued to rise after the massive data breach it had. Hannaford has had very little negative impact. After all, the consumer is liable for $50 max in any case. So PCI was just one of those things that sucked up time and energy, with (in my opinion) not a lot of discernible benefit.
I think the focus has to be away from PCI and on a sensible WISP.
Retailers and others managing customer and transaction data need to take steps to create the “defensible position” at a brisk pace.
To date, I have read that consumers aren’t overly phased by the data intrusions taking place in 2011, but that has to change at some point. Brands should be ahead of that change and the ones that react in arrears to a crisis will be punished by the marketplace.
Creating and executing the plan to create the “defensible position” is an evolving area of business and brands should align with the thought leaders in this space which have background as practitioners in corporate and data security.
At the present time, maintenance of a fully updated WISP plan and adherence to accepted data security standards like PCI seems to be the accepted standard for consumer marketers.
While securing a “defensible position” seems essential from the legal and insurance perspectives, I believe that top marketers must also look at this issue from an equity perspective.
The consumer relationship portfolio is a key corporate asset. When trust is diminished by an unauthorized intrusion, real damage occurs over and above the costs of remediation and fines.
A good WISP plan should address more than legal and liability exposure. It should be a living and dynamic preparedness document that keeps the company ready to respond in visible good faith to a data intrusion. Those considerations are the CMO’s responsibility, in collaboration with the CIO and corporate counsel.
Data security goes way beyond PCI. While PCI addresses the minimum requirements for ensuring payment transactions are secure, it does nothing to address identity and transaction history that customers may consider sensitive.
In the “old days,” data security was left to the individual application developer and each application had its own approach. In some strange way, this was better than today’s effort to create single sign-on support for internal users. With a single password stolen from a high security level employee, an intruder can access all a retailer’s applications.
The truth is that anything stored in a computer can fall into the wrong hands. It could be as simple as a rogue employee who carries a report out under their arm. One of the key requirements of PCI is that the “security code” associated with a credit card cannot be kept in the retailer’s database. This is a tacit admission that no matter how hard someone might try to protect a piece of data, the fact that it is stored somewhere means it is vulnerable.
So it seems the question regarding a data breach is not “if” but rather “when.” After doing everything possible to avoid them, a retailer must have an easily executed plan for responding to an intrusion (i.e. a WISP). So if it turns out that a woman’s disgruntled ex-husband works in your IT department and has accessed her new address and phone number from your database, you know what you are going to do. If a hacker gets access to your customer files, what will be your response? It seems you should also be asking yourself upfront whether you really need keep all that data. Is it really worth the potential repercussions to know all the transaction details? More critically, is it necessary to directly link them to a name and address?
The payment card institute put together the PCI rules because retailers weren’t doing enough to protect sensitive data. CIOs report that the executive suite doesn’t have much interest in investing in security technologies. The best security product out there, the one that government agencies and the military use, has been installed in only three retail companies. Expect the retail industry to remain in the headlines.