BrainTrust Query: Data Protection Standards Changing for Retailers & Database Marketers
Through a special arrangement, presented here for discussion is a summary of a current article from the Hanifin Loyalty blog.
What do Citi, Sony, Michael’s, Epsilon and four leading Australian banks have in common?
The answer is globalization — of consumer data intrusion, that is.
I’ve maintained a theory that data security will be the next differentiating field of play, not just for loyalty marketing, but for the broader database marketing industry. The steady stream of data breach announcements that we’ve seen during 2011 validates the growing problem.
I read this statement in an article this week on Supermarket News discussing lessons learned from a 2007 intrusion at Hannaford Bros.: "Compliance with the five-year-old Payment Card Industry (PCI) Data Security Standard — Hannaford was PCI-compliant — proved not a sufficient defense against malware that could pilfer moving card data."
If PCI isn’t enough, what is?
To get the answers, I sought out the opinions of a seasoned practitioner fighting cyber crime, Alan Heyman, managing director of Cyber Security Auditors & Administrators LLC.
Alan exploded one myth that I had believed about data breaches — that hackers might one day sweep money on large scale from a portfolio of checking or savings accounts at a bank.
"It won’t happen that way," he shared. "The hackers prefer to creep in and instigate small charges that can be perpetuated for a sustainable time without sounding the alarms of the corporate watchdogs."
While such direct fraud damage may be significant enough, a host of indirect costs can further devastate a breached firm. Alan told me that "the costs are an aggregate of IT hardware remediation and repair, legal fees and customer notification, and do not include fines and longer term remediation."
But the risk to brands is hard to quantify. How do you put a price on loss of customer loyalty, goodwill and trust? The cost of class action suits, fines from state authorities and customer notification is more easily projected, but think about large scale loss of customers who say, "I’m not going to shop there anymore or, "I’m not going to use my debit card anymore" and the threat comes into full perspective.
Alan validated the Supermarket News statement in my interview, saying that "organizations must work ahead of the game to establish a defensible security position" and that "PCI is not enough anymore, firms must create and maintain a Written Information Security Plan (WISP) to place themselves in an accountable and defensible position, should a breach occur."
The game has changed again, and all marketers who collect, manage and maintain consumer data should be re-orienting their view towards security "standards." I just scratched the surface in my conversation with Alan. We all need to go deeper. Your brand affinity and customer trust may just depend on it.
- Data Protection Standards Changing for Database Marketers – Hanifin Loyalty
- The Epsilon Imperative – RetailWire
Discussion Question: Do retailers need to go beyond PCI standards for themselves and vendors? Would a Written Information Security Plan (WISP) provide a sufficiently “defensible position”?