BrainTrust Query: The Epsilon Imperative
Through a special
arrangement, presented here for discussion is a summary of a current article
from the Tenser’s Tirades blog.
In what some observers say was the largest
breach of consumer data in history, servers at Epsilon Interactive, the database
services company, last week were compromised by hackers, exposing the names
and email addresses of millions of American consumers to the spam-o-sphere.
Within
hours, alerts hit my personal inbox from Kroger, Target, Walgreen and HiltonHHonors
informing that one of my addresses was now in the wild. Why did these gigantic
companies have my email address stored in Epsilon servers? Simple. I am enrolled
in their frequent shopper programs. And until now, Epsilon was as reputable
and secure a place as you could get to host customer data.
The e-mails came
fairly promptly, showing these frequent shopper/guest list owners exhibited
some consciousness of responsibility for the incident. But there’s still the
legal regulatory exposure.
Under laws enacted by 46 states since the notorious
TJX data breach that came to light in 2007, any company with a direct marketing
or frequent shopper list that fails to prepare and maintain a private data
response plan may be exposed to dozens of lawsuits imposed by state attorneys
general. Legal fees and fines can spiral out of hand, and the secondary damage
to brand reputation may be multiplied along with it.
It seems that loyalty
programs just got harder to operate, but a great many consumer-facing businesses
consider loyalty and relevance-based marketing to be essential competitive
activities. Consumers expect the personalized services and rewards promised
by these programs. The databases deliver crucial insights that enable efficient
and well-targeted marketing.
While CIOs work feverishly at data security, it’s
up to the CMO and CCO to protect brand and customer equity by ensuring that
sound response plans and practices are put into place. They must confront new
questions like:
- How is the consumer’s perception of our brand affected now that their
information has been violated?
- Is the value of our brand and customer equity negatively affected by a
data breech? How bad is the damage?
- Are we prepared to demonstrate our diligence to our customers and card
holders by mobilizing rapid notification and protective actions?
- What compensation can we provide to the consumer for their discomfort,
angst, worry?
- Can our forthright response turn a data breech into a service recovery
opportunity so that we gain trust, not lose it?
In today’s world, the relevant question regarding data breeches is not “If?” but “When?” Set
against the backdrop of state and foreign regulations, this means loyalty and
direct marketers must maintain a dynamic preparedness and response plan that
can be instantly triggered in the event of a negative event. This is a capability
few companies have today, but one that all should acquire.
Discussion Questions
Discussion Questions: To what degree is news of consumer data security breaches affecting the appeal of loyalty programs? How should retailers and brands protect both consumers and their brand equity against future breaches?
These types of events get into the news and create some conversation and noise around the water cooler, but if nothing bad happens to the majority of consumers, the news dissipates and very few consumers will change their habits about registering for loyalty programs.
It’s not just loyalty programs that consumers will question, it’s all efforts to gather personal data, and rightfully so. Retailers and brands need to take a careful look at what information they really need to gather and how they will protect it. If private industry does not do a better job, government will step in. Consumers don’t like receiving multiple emails informing them that their personal information has been stolen. It will make them hesitant to share it in the future and question whether giving out personal data is worth the risk.
I don’t know if this data breach will have a huge impact on retail loyalty programs because data breaches have become routine, unfortunately. Financial institutions, banks, colleges, etc. have also had large, well-publicized data breaches. Consumer privacy expectations are not what they once were, for better or worse.
What a coincidence. I have just cancelled several credit cards that show random payments (about 20 since March 30th) to Time Warner Cable. I have no account with Time Warner Cable and clearly they are happy to receive monies from me without question as to why. They never reached out to me. I’ve called Security at Time Warner and they are uninterested in my concern. I’ve reached out to them each time I received a statement with fraudulent charges. Only the banks/credit cards have been responsive, immediately canceling the cards and reversing the charges.
Loyalty programs and others can take a lesson from the banks who have been dealing with security issues openly and directly for quite some time. Unfortunately, hackers are a part of cyber life and I doubt their invasions are entirely preventable. So as the article suggests it is up to companies to plan for “when” and not “if.”
Time Warner Cable for the moment seems to believe that avoidance is bliss. But I doubt that they can maintain that mantra for long. Social media may have some impact as I am using it to alert my friends and colleagues about how Time Warner Cable is not at all helpful as I try to resolve this.
The Epsilon breach should provide privacy rights extremists plenty of fuel to stoke their paranoid propaganda programs for quite a while. Unfortunate for data-based marketing folks of all stripes, but not a deal breaker, in my opinion. I think that the portion of the general public which elects to exchange their data for something they value has learned the difference in severity of data breaches. Most if us already need to deal with nasty spammers. Who’s going to notice a few more?
I agree that unfortunately all of us have become more complacent about data breaches. This will limit the negative impact this latest incident will have. While the companies that collect the data have responsibility for protecting it, we as consumers also have a duty to guard our data.
For me that means not giving out my information to every retailer, etc. who asks for it–including emails. When asked “Can I have an email address” my response is no or I give them ones that I don’t care about or use often. I use one of these addresses for any loyalty programs I join. While this is not by any means a foolproof plan, it does limit my exposure on the addresses I use for work, etc.
Americans, at least, have a very short attention span for most things. Since no immediate damage occurred, at least until now, I believe there is no lasting negative sentiment in the consumers’ minds…that is, no more than what already existed. Look at gasoline prices as an example. Prices continue to climb, however, has anyone truly cut down on their driving habits? We will continue to be a part of loyalty programs that we view have value to us, until something really bad financially happens.
As Jamie suggests, CIOs are working far more actively to address this than CMOs.
One reason is that the problem and solution are asymmetrical. How much credit has Yahoo gotten for taking the lead on multi-layer phishing protection? Not much. There’s less marketing leverage when the goal is to avoid downside rather than capitalize on upside.
Another reason is that general vigilance is more effective than individual notifications. It’s challenging to break through with a message about email using email. The media news around this breach was more effective in generating concern than the inbox.
Fraud is a disease. Fully 12 financial institutions and 40 retail business were affected by this breach. While CIOs work on prevention, the best way CMOs can help treatment is to be forthcoming to the media and public when it happens.
While this was a pretty run of the mill data breach with minimal impact, the interesting thing about it to me is that it apparently affected so many retailers and marketers, and they all responded about the same way–by sending out a generic e-mail to their loyalty program members. I got about a half a dozen and they all said essentially the same thing: Epsilon did it, it’s too bad, and “be careful” opening any e-mails you get. There sure wasn’t anything in there about regaining trust, protecting customers, etc., other than the standard mumbo jumbo that was no doubt reviewed by the legal department many times, to leave minimal room for lawsuits.
To 99% (made up number) of the American public, I am sorry to say this will be a non issue.
Spam and security breaches have become a way of life and we just throw it out like we do the garbage.
Americans seem to have loss their privacy but most of them don’t care and keep giving up more and more informational freely.
We are beginning to hear or read about this type of security breach too often. I received four alerts, mostly from hotel chains I use while traveling. I was concerned; but not enough to do anything more than read the alert. Maybe I have become too trusting and need to examine my use of these programs.
First, I have to question Jamie’s assertion that CIOs are working “feverishly” on data security. Most of the CIOs I talk with complain that they have to beg for security funding. Very few retailers have installed advanced forensic software that would allow them to see who’s in their systems at any given time.
That said, this is only round one of the breach. Wait until customers start to get spear-fishing attacks from bad guys who can pose as retailers…the backlash won’t be pretty.
Thanks to all who responded so far. I realize this is new territory for us marketing types, but I want to emphasize that the consequences of consumer data exposure go beyond public relations, to encompass potentially massive legal exposure. This is the new risk to brand equity I try to make clear. The following may be helpful to CMOs:
The Massachusetts’ Data Security Breach Notification Law, Chapter 93H, requires an individual, business or governmental agency holding “personal information” about a state resident to provide notice in the event of a data security breach. To this end, every such entity is required to develop and implement a written “comprehensive data security program.”
Any entity with even a single Massachusetts citizen in its database may be subject to this requirement. The other 45 state laws are similarly modeled, which means that one adverse event may trigger 46 separate legal actions, not including one from the FTC.
So as marketing pros pursue the laudable goals of personalization and relevance through database, online and loyalty marketing, they also take on a degree of risk that may not be apparent. This may be mitigated, however, by prudent planning and education.
I too received 6 or 8 of these notices and I like many simply read the first one or two, deleted them and ignored and deleted the rest. What is there to do that doesn’t adds up to more of a difficulty than the risk that may be forthcoming.
To me, email addresses add up to spam. My spam over the years has dropped to almost nothing. Perhaps a handful a week. Does the breach affect my brand perception? Not at all.
However, it is still unacceptable and ultimately, the government will further regulate the handling of the data. Unfortunately, no company will take it seriously until the financial liabilities involved exceed the cost of protecting the data. Nor should they.
I’m convinced that too many marketers and retailers remain complacent about the pending danger of cyber insecurity to their bottom line or their brand equity. Reported financial losses in the US have been increasing dramatically every year. The breach at TJ X (2005-including TJ Maxx, Marshall’s and Bob’s Stores) has resulted in fines and settlements in excess of $100 million, not to mention the unreported cost of correcting the problems–or the loss of good will.
The Federal government and the vast majority of the state legislators are very aware. They have passed numerous consumer protection laws and are passing more each day that are challenging the way American marketing has been conducted. These concern the protection of personal data, with a growing impact upon retail and direct marketing practices. The Massachusetts Privacy law (2010) is requiring any company in US or the world, that conducts business with a Massachusetts resident or company to be compliant with their laws, regardless of where the company is domiciled.
The stealing of emails is only the beginning of utilizing data mining to create profiles of individuals to steal their identity as well as their assets. It is like a perversion of direct marketing programs. Just as legitimate marketers create profiles to learn more about the consumer, cyber crooks use these tools also.
The greatest challenge is how to demonstrate to the state or federal regulators that your company is both secure and compliant with all the laws. If companies do not act, the high level of the fines will force them to. Brand owners cannot protect themselves or their customers by saying this is “not a big deal.” Just ask TJX.
The Epsilon breach was a wake-up call for many businesses, clients and customers alike. It raised even further awareness of the threat of data and security breaches. As a result of this incident, businesses and clients realized that further protection will be needed. The good faith and reliability that customers put in businesses are at risk; things that businesses can not afford to lose.
Seth Godin introduced the term Permission Marketing over 10 years ago. He recently speculated that the “Permission” aspect of marketing has been thrown out the window by aggressive marketers who forgo “opt-in” and add email addresses to their mail lists regardless of source.
That is a different form of irresponsibility that could lead to a breach than retailers who should be investing further in data security.
The first practice violates Permission Marketing principles consciously and opens the door to a potential liability that will draw multiples of consumer ire when the consumer wonders how they got on the list in the first place.
That said, data security needs more attention and the supplier marketplace may shrink as fewer can afford to comply at a high level to new standards and requirements.
Further to this, please read my recent post on the Epsilon breach at Loyalty Truth here: Epsilon Security Breach a Reminder of Constant Threat