Brand reputation: Why marketers need to be making data security a priority

Hot on the heels of the Facebook/Cambridge Analytica data breach comes the news the Marriott has suffered a breach affecting up to 500 million guests and NASA suffered an employee data breach in October. This is on top of PageUp, an Australian SaaS provider, announcing it had suffered a significant security breach in May. Over the years, Yahoo, Google, Equifax and many other companies have suffered the same fate.

With various data privacy regulations being implemented around the world, plus a recent report claiming consumers are holding companies responsible for data security and are likely to take legal action if they suffer a data breach, brands are in a precarious position.

Consumers are all too aware of their rights when it comes to data privacy, and are willing to abandon previously well-liked brands if their data is misused, breached or inappropriately traded. 

In fact, the recent HP Australia IT Security Study revealed many Australians are choosing not to share their personal information with SMBs, likely due to growing privacy concerns, despite SMBs indicating this data is critical to their success. 

In the wake of this series of high-profile data breaches, 46 per cent of Australian SMBs surveyed said their customers are increasingly opting out of data collection and sharing. Even business owners themselves were found to be wary, with 67 per cent stating they are uncomfortable with other businesses storing their personal data.

However, half of SMBs surveyed (49 per cent) said access to customers’ personal information is essential to their day-to-day business operations, while 60 per cent said they needed detailed customer information to deliver more personalised customer services and to ultimately grow their business. 

No wonder consumers are wary. The Office of the Australian Information Commissioner (OAIC) has reported personal contact information such as home address, email and phone number details typically feature in 89 per cent of data breaches.

“The past year has seen a number of high profile data breaches, which has no doubt increased consumer wariness around how businesses collect, use and store their personal data,” said interim managing director, HP South Pacific, Paul Gracey. “In a climate where most Australians have some nervousness around maintaining their privacy, SMBs need to be extra diligent in maintaining their role as trusted custodians of a customer’s most personal information.”

The HP report also stated, nearly a year on from the introduction of Australia’s Notifiable Data Breaches (NDB) scheme (February 2018), many Australian SMBs are still not adequately prepared. The majority have also not effectively responded to the EU General Data Protection Regulation (GDPR), which came into effect in May 2018.

One thing is clear, without an adequate data protection plan, brands can spend years building vital consumer trust, only to have it destroyed in a matter of moments in the event of a badly handled data breach. Cases in point: Cambridge Analytica has now folded, Facebook has been fined, Yahoo has been fined, Google+ is shutting down, and barely a day goes by where some kind of data issue isn’t reported widely around the world.

Trust is vital

In an age where consumers hold the power to make or break a brand via their social media accounts, trust is more important than ever. It is no longer an added bonus, rather, it is now vital to not only the bottom line, but also as a method of building customer capital, which drives engagement and sales, and can actually act as insurance against a crisis.

Key to this trust is the proper handling of data. Data for personalisation may delight some consumers, but if data is misused, even for the sake of deeper personalisation, trust will be lost, and unless a company has very deep pockets, it can mean the end of business altogether.

Salesforce’s recent State of Marketing report found nearly a third (32 per cent) of A/NZ marketers feel challenged to balance personalisation with privacy, and 51 per cent of marketing teams say they’re more mindful about balancing personalisation and privacy than they were two years ago.

Marriott's data breach

One thing is certain, data breaches will continue into the future as more data is collected and stored. But a breach doesn’t have to mean the end of a brand. If handled well, a breach can restore, or even enhance, brand reputation. Transparency is key; transparency in the handling, collection and use of consumer data, and transparency, and clear action and restitution, in the event of a breach.

The most recent example is Marriott’s data breach. According to a statement released by the chain, on 8 September 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott engaged security experts to help determine what occurred and subsequently learned there had been unauthorised access to the Starwood network since 2014.

Information on up to approximately 500 million guests who made a reservation at a Starwood property is involved and for approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information many also include payment card numbers and payment card expiration dates.

For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.

Starwood properties impacted include: The Westin, Sheraton, The Luxury Collection, Four Points by Sheraton, W Hotels, St. Regis, Le Méridien, Aloft, Element, Tribute Portfolio, and Design Hotels.

Marriott has set up a dedicated website and call centre to answer its customers’ questions about their personal information and the data breach, and it has ‘started’ emailing customers who have been affected. In certain countries and regions, Marriott is also offering affected guests the opportunity to enrol in a personal information monitoring service, WebWatcher or IdentityWorks Global Internet Surveillance, free of charge for one year.

While Marriott expressed ‘regret’ over the incident, has it gone far enough in the eyes of consumers? CMO talked to some experts, and while Marriott appears to have done quite a few things right – it has done some crucial things wrong.

Cannings senior director, Luis Garcia, said Marriott has gotten some things right, and some things wrong, when it comes to handling a brand reputation scandal of this magnitude.

“Its initial statement explained how the breach came about, how many guests were affected, and what the company had done to investigate and fix the problem, which is good. It also set up a dedicated website for customers and offered other assistance,” Garcia said. “But then Marriott failed where it matters: in saying sorry to its customers, in clear language and without conditions.

“When someone steals the personal details of as many as 500 million of your clients, you expect more from the company than a statement expressing regret – and you expect the CEO to take responsibility for fixing the problem.”

Phil Huzzard, agency principal and co-founder of Melbourne agency, DPR&Co said somewhere, somehow, a hacker is trying to break through a firewall somewhere right now, so being prepared for a breach is vital.

“We live in an age where we’ve exchanged our personal data for other value, such as convenience, customisation and service. We also live in a world where that data is highly prized by some very smart criminals. We need to get used to the uncomfortable fact that data breaches are inevitable,” he said.

“Marriott look to be doing Issues Management 1.01 [accept responsibility, acknowledge that they’ve had a failure, deal with it the best they can]. That, along with trying to prevent it from happening again is all you can expect. They get an eight out of 10.”

Trend Micro A/NZ country director, Ashley Watkins, said Australian organisations need to not only make cybersecurity a key focus, but also prioritise disclosure and transparency with their customer network.

“News that PageUp have launched an investigation following a potential data breach reminds us that Australian organisations – no matter how big or small – are operating in a new era of cyber requirements,” Watkins said.

“Historically, many companies have taken a complacent approach to data security, but this is starting to change since the introduction of the NDB earlier this year. The unfortunate reality is that data breaches do happen, so it’s paramount that organisations pay close attention to their disclosure processes and prioritise transparency with their customers. It’s how organisations handle the breach from beginning to end that will have a lasting impact on customer trust and public perception.”

Keeping privacy front and centre

Only time will tell how well Marriott can weather this storm. But one thing is clear, proper data privacy needs to be at the very top of every businesses’ ‘to do’ list.

The Association of Market and Social Research Organisations (AMSRO) applauded the recent Australian Competition and Consumer Commission’s (ACCC) preliminary Digital Platforms Inquiry report and proposals to further protect the privacy of individuals across the digital landscape.

“Ethical behaviour, independent certification and privacy law are the three pillars that underpin AMSRO member compliance. The ACCC’s recommendations for an independently reviewed, co-regulated framework to monitor digital giants is very welcome,” said Craig Young, AMSRO President.

“If we are to expect ongoing co-operation from the public, whose opinions are the lifeblood of our industry and others, we all need to be transparent, responsible and held to account.”

Neeraj Murarka, CTO and founder of the decentralised database ecosystem, Bluzelle, believes 2019 will be the year of innovations in marketing data technology, particularly around data protection.

"The biggest challenge for marketing data in 2019 is for brands to be transparent about what data they are collecting and what they are doing with that data. No brand wants to be the next Facebook, so they need to look to emerging technology like blockchain and decentralisation to help protect consumer data and enable consumers to 'own' their data, ultimately deciding who has access to it. Consumers are becoming more savvy and it’s the brands who can show what lengths they are going to, to protect their data that will win out in 2019."

Megan McKenna, VP of marketing at Lotame, said as fraud continues, data quality will grow as a concern as well.

“Audience data quality is a growing challenge for the industry. Invalid traffic through bots is especially harmful, and can skew analytics for publishers and marketers alike. A summer report by DoubleVerify found that desktop-based fraud is falling, however, mobile fraud and CTV scams are exploding.

“GDPR and potential state-by-state privacy guidelines will bring more complexity in managing consumer consent. In fact, in 2019, we’ll see consent become a branded term in how data is acquired and used. Today, the consent framework generally sits with publishers, but next year, we’ll start seeing it pop up more with marketers. Managing consent will become more prevalent and opportunity-driven for them. As a result, I anticipate that vendors will be focused on working with marketers around the management of consumer identities. While GDPR has made things more challenging for many tech platforms, it will also be a key business opportunity.”

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook: https://www.facebook.com/CMOAustralia, or check us out on Google+:google.com/+CmoAu