IN WHAT SOME observers say was the largest breach of consumer data in history, this week servers at Epsilon Interactive, a database services company based in Irving, TX, were compromised by hackers, exposing the names and email addresses of millions of American consumers to the spam-o-sphere.
Within hours, alerts hit my personal inbox from Kroger, Target, Walgreen and HiltonHHonors informing me that they had been struck and that one of my addresses was now in the wild. Why did these gigantic companies have my email address stored in Epsilon servers? Simple. I am enrolled in their frequent shopper programs. And until now, Epsilon was as reputable and secure a place as you could get to host your customer data.
Which partly explains why the 50 or so huge retail and consumer-facing companies whose customer email lists were exposed by this attack include the likes of Best Buy, HSN, CapitalOne, Citigroup, JPMorgan Chase, Marriott and TiVo. These companies depend on email communications for the inexpensive delivery of relevant messaging and offers to their customers. Now each of them has been forced to warn their customers about the potential for spam and phishing attacks. By email.
The implications of this are quite chilling, and should give pause to every Chief Marketing Officer and Chief Customer Officer charged with the custody of shopper relationships and brand equity. Shareholders had better pay attention too. This, my friends, is your first early warning. I call it the Epsilon Imperative.
First, the good news
It could have been worse. While the data quantities are vast, and the affected brands are iconic, at least the damage was limited to names and email addresses, we are told. Wholesale identity theft does not appear to be a great direct risk, although enterprising list dealers and data miners will be tempted to merge the email address tables with other lists, thus creating more complete profiles for future exploitation.
And the email notices I received came fairly promptly. Well, one from McKinsey Quarterly arrived within hours of the media alert on Saturday. Walgreen and Fry’s (Kroger) got their notices to us later the same day. Hilton and Target waited until after the weekend. (OK, timings of the last two are really not that impressive, come to think of it.)
The positive take-away is that most of the frequent shopper/guest list owners exhibited some consciousness of responsibility for the incident, even though it was caused by an outside criminal act against a third-party service bureau (Epsilon). They acted promptly, recognizing that shoppers and guests must be made to feel that the brands have their best interests at heart. Failure to inform would be a lapse of good faith.
Why marketers should care
While preserving public confidence and brand equity are major concerns, this is only one factor for top retail and hospitality executives. Another, less-understood implication is legal regulatory exposure. This is an area that evolved rapidly following the notorious TJX data breech of 2005, which exposed 46 million credit card numbers but did not come to light until 2007.
California led the pack with the first security breech notification legislation in 2008. But the model for this legislation came not surprisingly in the state of Massachusetts, where TJX is headquartered. At least 46 other states followed with their own versions.
The Massachusetts General Law titled, “Standards for Protection of Personal Information of Residents of the Commonwealth” (Chapter 93H), defines a comprehensive set of data security obligations on businesses, including the development and maintenance of a “comprehensive written information security program.” Deadline for compliance with this law was Mar. 1, 2010.
Several legal scholars have observed that the Massachusetts law would apply to every company who has even one list member residing within the state. It also sets the best practice standard for written information security programs. Since modern ecommerce is “borderless,” many companies will be subject to such oversight in every state.
This means that any company with a direct marketing or frequent shopper list that fails to prepare and maintain a private data response plan may be exposed to dozens of lawsuits imposed by state attorneys general. Legal fees and fines can spiral out of hand, and the secondary damage to brand reputation may be multiplied along with it. It seems that loyalty programs just got harder to operate.
Protect your shoppers – and your brand
What can a responsible marketing executive do to protect customers and company from the cascade of negative consequences that may result from the inevitable data breech? Maintaining state-of-the-art data security measures and the comprehensive written information security program are certainly essential. CIOs worldwide work feverishly at data security, but it’s up to the CMO and CCO to protect brand and customer equity by ensuring that sound response plans and practices are put into place.
A great many consumer-facing businesses consider loyalty and relevance-based marketing to be essential competitive activities. Shoppers and consumers have come to expect the personalized services and rewards promised by these programs. Firms depend on their customer databases to deliver crucial insights that enable efficient and well-targeted marketing programs.
In light of the Epsilon event however, retail and hospitality CMOs and CCOs now face a new imperative. They must confront new questions like:
- How is the consumer’s perception of our brand affected now that their information has been violated?
- Is the value of our brand and customer equity negatively affected by a data breech? How bad is the damage?
- Are we prepared to demonstrate our diligence to our customers and card holders by mobilizing rapid notification and protective actions?
- What compensation can we provide to the consumer for their discomfort, angst, worry?
- Can our forthright response turn a data breech into a service recovery opportunity so that we gain trust, not lose it?
In today’s world, the relevant question regarding data breeches is not “If?” but “When?” Set against the emerging legal backdrop of state and foreign regulations, this means loyalty and direct marketers must maintain a dynamic preparedness and response plan that can be instantly triggered in the event of a negative event. This is a capability few companies have today, but one that all should acquire.