THE ERA OF INDIVIDUAL PRIVACY may turn out to be a mere blip in the sequence of human history, as the smothering embrace of the World Wide Web makes our every click and consumption act a new molecule in the Big Data tsunami. Marketers salivate at the potential to sift the flow and aim relevant offers with pinpoint accuracy.
If they have their way unimpeded, privacy may turn out to be the human right that never was. People with means may put up barriers to make their personal information difficult to obtain. Everybody else would stand naked in the virtual town square, shielded only by the sheer numbers of their peers.
No wonder reasonable people worry that targeting may easily transmute into stalking when marketers apply automation to their process. The mechanisms and practices are not readily visible to normal citizens. I think this makes the reality both better and worse than it really seems.
IN WHAT SOME observers say was the largest breach of consumer data in history, this week servers at Epsilon Interactive, a database services company based in Irving, TX, were compromised by hackers, exposing the names and email addresses of millions of American consumers to the spam-o-sphere.
Within hours, alerts hit my personal inbox from Kroger, Target, Walgreen and HiltonHHonors informing me that they had been struck and that one of my addresses was now in the wild. Why did these gigantic companies have my email address stored in Epsilon servers? Simple. I am enrolled in their frequent shopper programs. And until now, Epsilon was as reputable and secure a place as you could get to host your customer data.
Which partly explains why the 50 or so huge retail and consumer-facing companies whose customer email lists were exposed by this attack include the likes of Best Buy, HSN, CapitalOne, Citigroup, JPMorgan Chase, Marriott and TiVo. These companies depend on email communications for the inexpensive delivery of relevant messaging and offers to their customers. Now each of them has been forced to warn their customers about the potential for spam and phishing attacks. By email.
The implications of this are quite chilling, and should give pause to every Chief Marketing Officer and Chief Customer Officer charged with the custody of shopper relationships and brand equity. Shareholders had better pay attention too. This, my friends, is your first early warning. I call it the Epsilon Imperative.
First, the good news It could have been worse. While the data quantities are vast, and the affected brands are iconic, at least the damage was limited to names and email addresses, we are told. Wholesale identity theft does not appear to be a great direct risk, although enterprising list dealers and data miners will be tempted to merge the email address tables with other lists, thus creating more complete profiles for future exploitation.
And the email notices I received came fairly promptly. Well, one from McKinsey Quarterly arrived within hours of the media alert on Saturday. Walgreen and Fry’s (Kroger) got their notices to us later the same day. Hilton and Target waited until after the weekend. (OK, timings of the last two are really not that impressive, come to think of it.)
The positive take-away is that most of the frequent shopper/guest list owners exhibited some consciousness of responsibility for the incident, even though it was caused by an outside criminal act against a third-party service bureau (Epsilon). They acted promptly, recognizing that shoppers and guests must be made to feel that the brands have their best interests at heart. Failure to inform would be a lapse of good faith.
Why marketers should care While preserving public confidence and brand equity are major concerns, this is only one factor for top retail and hospitality executives. Another, less-understood implication is legal regulatory exposure. This is an area that evolved rapidly following the notorious TJX data breech of 2005, which exposed 46 million credit card numbers but did not come to light until 2007.
California led the pack with the first security breech notification legislation in 2008. But the model for this legislation came not surprisingly in the state of Massachusetts, where TJX is headquartered. At least 46 other states followed with their own versions.
The Massachusetts General Law titled, “Standards for Protection of Personal Information of Residents of the Commonwealth” (Chapter 93H), defines a comprehensive set of data security obligations on businesses, including the development and maintenance of a “comprehensive written information security program.” Deadline for compliance with this law was Mar. 1, 2010.
Several legal scholars have observed that the Massachusetts law would apply to every company who has even one list member residing within the state. It also sets the best practice standard for written information security programs. Since modern ecommerce is “borderless,” many companies will be subject to such oversight in every state.
This means that any company with a direct marketing or frequent shopper list that fails to prepare and maintain a private data response plan may be exposed to dozens of lawsuits imposed by state attorneys general. Legal fees and fines can spiral out of hand, and the secondary damage to brand reputation may be multiplied along with it. It seems that loyalty programs just got harder to operate.
Protect your shoppers – and your brand What can a responsible marketing executive do to protect customers and company from the cascade of negative consequences that may result from the inevitable data breech? Maintaining state-of-the-art data security measures and the comprehensive written information security program are certainly essential. CIOs worldwide work feverishly at data security, but it’s up to the CMO and CCO to protect brand and customer equity by ensuring that sound response plans and practices are put into place.
A great many consumer-facing businesses consider loyalty and relevance-based marketing to be essential competitive activities. Shoppers and consumers have come to expect the personalized services and rewards promised by these programs. Firms depend on their customer databases to deliver crucial insights that enable efficient and well-targeted marketing programs.
In light of the Epsilon event however, retail and hospitality CMOs and CCOs now face a new imperative. They must confront new questions like:
How is the consumer’s perception of our brand affected now that their information has been violated?
Is the value of our brand and customer equity negatively affected by a data breech? How bad is the damage?
Are we prepared to demonstrate our diligence to our customers and card holders by mobilizing rapid notification and protective actions?
What compensation can we provide to the consumer for their discomfort, angst, worry?
Can our forthright response turn a data breech into a service recovery opportunity so that we gain trust, not lose it?
In today’s world, the relevant question regarding data breeches is not “If?” but “When?” Set against the emerging legal backdrop of state and foreign regulations, this means loyalty and direct marketers must maintain a dynamic preparedness and response plan that can be instantly triggered in the event of a negative event. This is a capability few companies have today, but one that all should acquire.
ELEVEN DAYS AGO I was a passenger in a van traveling south on Rte. 15 toward Hermosillo, Sonora, Mexico, when we came upon a sight that turned our heads and quieted our voices.
About 100 kilometers south of the border city of Nogales, Arizona, near the town of Benjamin Hill, Sonora, we spied a line of 18-wheelers stopped in the northbound lanes. They were waiting for inspectors in military uniforms to clear them for the trip further north.
The line of tractor-trailers stretched impressively into the distance, over the next rise. Several drivers lolled on the highway median waiting their turn. It had evidently been a long wait.
As we crested the hill, it became apparent that the line-up went much further. In fact, it took about 10 minutes at highway speed to pass all the idling trucks, each rise delivering another surprise; until finally we passed the last pair of truckers, standing in the weeds, checking their watches.
“That’s a lot of money sitting still,” I said to the man sitting next to me, who returned a serious nod.
We pressed on to our destination, the Sonora Spring Grape Summit, where it would turn out, that line of trucks would be a topic of some serious conversation for the growers, packers, importers, retailers and officials present.
Marco Antonio Camou, undersecretary of agriculture for Sonora’s state department of agriculture, who addressed the group, said the backup we had witnessed stretched for “16 or 17 kilometers,” causing delays of approximately 10 hours duration. (The satellite photo above shows the front of the queue on a recent day.)
Camou showed some photos of a just-completed security inspection facility on the highway designed to process 180 trucks per hour, using sophisticated x-ray machines and other gear. It was scheduled to open before the end of April, with a full-time complement of up to 180 Mexican military personnel barracked on the premises. Their primary mission: Find and stop contraband, especially drugs.
On our return trip north the next day, we passed a similar lineup and got a better view of the impressive-looking inspection station on the east side of the highway. Watching all those big wheels standing still made the little wheels in my head turn furiously. After my return to Tucson, I did some fact-checking and quick math:
An average 18-wheeler is 60 feet long; so about 85 trucks, parked end to end, cover a mile.
16 kilometers is almost exactly 10 miles; so the line we witnessed encompassed about 850 trucks.
If we assume each truck carries legitimate cargo valued at an average of $50,000, then we saw $43 million worth of goods sitting idle, for an average of 10 hours, adding a full day to the time of transport.
Cost of capital? $43,000,000 x 5% per year /365 days = about $6,000 per day
Cost of loss of product freshness? Assuming an average of 0.1% per day = $43,000/day
Cost of driver down time? At $50/driver/day = $50 x 850 = $43,000/day
Cost of diesel fuel burned by idling trucks? Assuming 30 gallons/truck/day x $3.00/gal. x 850 trucks = $77,000/day
In other words, the line-up we witnessed added nearly $180,000 to the cost of goods moving through that inspection point. In one day.
Not to mention the unreported cost to Mexican taxpayers for construction and maintenance of the inspection facility, equipment and troops to man it.
Mind you, these internal security checkpoints (they are located on most major highways in northern Mexico) are in addition to the U.S. Customs inspection points the same trucks must pass at the border. The Mariposa station between Nogales, Sonora and Nogales, Arizona, reportedly handles almost 300,000 trucks crossing into the United States annually. All of them wait in line too. To try to improve this bottleneck on the U.S. side, a new facility expansion has been authorized here, at a cost of $200 million over the next 3-4 years.
For my new friends in Hermosillo who grow, pack and ship more than 10 million boxes of table grapes to American markets each spring, the improved inspection facilities should save time, money and product freshness. Sadly, the cost and complexity introduced by realistic security measures on both sides of the border is unavoidable and shared by all of us.