Ashley Madison is a wake-up call for all marketers on data retention

Jodie Sangster

Jodie Sangster has been the CEO of the Association for Data-driven Marketing and Advertising (ADMA) since 2011 and is also chairperson for the International Federation of Direct Marketing Associations (IFDMA). She has worked across the US, Europe and Asia-Pacific for 14 years with a focus on data-driven marketing and privacy, and began her career as a lawyer in London specialising in data protection. Her resume includes senior positions at Acxiom Asia-Pacific and the Direct Marketing Association in New York.

The recent Ashley Madison hack is a wake-up call not only for consumers, but also for marketers and companies – many of which still do not take their customers’ privacy or data security seriously enough.

There have been other, bigger, high-profile data breaches. But somehow they have seemed more remote and perhaps the consequences not so bad. For example, replacing a credit card is inconvenient and annoying, but not the end of the world.

But the hack of a website that encourages users to indulge in extramarital affairs and which revealed the email addresses, personal details and preferences of that site’s 36 million users, is more devastating. Stories abound of users getting divorced and careers/jobs compromised.

As for the Canada-based company, it’s hard to see how it will regain the trust of its customers and remain in business, especially with a tsunami of legal action headed its way. In the meantime, acting Australian Information Commissioner, Timothy Pilgrim, has announced a joint investigation with the Office of the Privacy Commissioner of Canada into the breach.

Lessons to be learnt

If ever there was an alarm bell for marketers, this is it. To that end, there are four lessons to keep in mind from the hack.

First, consumer data is a company’s most valuable asset and, as a result, requires the appropriate level of protection and care.

Second, the Ashley Madison hack is a reminder, as a start, to only collect and keep the customer data you need, protect it while it’s held, and then delete it when it’s no longer needed. The law also requires that companies tell consumers how their data will be handled, secured and stored and to allow consumers access to it. If a breach occurs, the Privacy Commissioner can issue fines of up to $1.8 million per data breach.

Ashley Madison had a lot of personal data it didn’t need, including names and email addresses of people no longer using its services or who had signed up, but not actually used the service. But the repercussions for everyone caught in the breach, whether innocent or guilty, were huge.

Third, the level of data security you apply must be commensurate with the data held. In other words, the level of security in place should reflect the potential risk and damage to consumers should that information be inappropriately accessed.

Fourth, all businesses need to think about the consequences of a data breach and what could happen. It’s always dangerous to think you aren’t going to be a target for hackers. Data is a valuable commodity for many. Also keep in mind that some hackers aren’t hacking to obtain data, but as a challenge to business – to simply prove they can hack where they like, when they like.

To be as safe as possible, organisations should be regularly reviewing how they store, manage and secure their data for any potential issues. That means changing passwords regularly, providing ongoing security training to staff, updating operating systems, firewalls, encryption and antivirus software, and ensuring only certain staff can access data.

Many companies think protection only applies to databases. But there are other best practice measures that should be followed. For example, physical data should be secured. Importantly, if you allow staff to bring their own laptops or devices to work, make sure you have robust protections in place and encrypt personal data. You’d be surprised at how often people walk out of the office with a laptop that doesn’t have passwords or encryption, and it gets left behind on a bus or in a taxi.

Companies also need to have a crisis plan in place if they’re hacked. This could include shutting down systems quickly and having processes in place to inform consumers and the authorities about the hack. The majority of companies don’t have a plan and that’s a concern.

Hacking is a crime and an element of business life we need to protect ourselves against. Companies have a role to play in securing consumer data to a high standard and consumers need to protect themselves by thinking through what personal information they will share with companies. The Ashley Madison hack is the quintessential example of a company and consumers not thinking through the consequences of their data being hacked and made public.

New data retention laws

On another matter, obligations under the new data retention laws came into effect 13 October 2015 and we’ve had a few calls from retailers and businesses in the lead up asking about any obligations arising from the new laws.

The answer is the new data retention laws only apply to telecommunication companies and Internet service providers – about 300 companies in total. In a nutshell, these organisations will be required to retain information about people’s telecommunications and online usage.

Retention periods fall into two categories. Some data must be stored for a two-year period, to help law enforcement and intelligence organisations in investigating criminal and national security threats. It must also be encrypted and protected from unauthorised interference or access. In other cases, information must be retained for the life of the account plus an additional two years when the account is closed.

There is controversy as the new laws require retention of metadata, which has been left vague and open to interpretation. There is no definition of metadata in the legislation though there is some indication of what is and isn’t included.

Generally, it will include subscriber or account holder names, addresses, date of birth, financial and billing information; traffic data such as numbers called and texted, as well as times and dates of communications; a user’s IP address and type/location of communication equipment.

Metadata does not include content such as the content of emails, SMS, Web browsing history or social media (at least in Australia in the latter case).Where there is a need to access the actual content of communications a warrant is needed. Similarly, a warrant will be required to access journalists’ metadata in order to identify a source.

Cost is also a concern. Implementation of the new data retention scheme has been estimated to cost between $189 million to $319 million, according to the government-commissioned report from PricewaterhouseCoopers. Despite this, only $131 million was allocated for the Government’s contribution in the 2015 budget, with an additional $10.6 million dollars over four years to support the role of various government departments and $6.7 million over four years to fund oversight of the scheme by the Commonwealth Ombudsman. The shortfall will have to be met by business, and ultimately, consumers.

Tags: digital marketing, data-driven marketing

Show Comments

Featured Whitepapers

State of the CMO 2019

CMO’s State of the CMO is an annual industry research initiative aimed at understanding how ...

More whitepapers

Latest Videos

Conversations over a cuppa with CMO: ABC's Leisa Bacon

In this episode of Conversations over a Cuppa with CMO, ABC's director of audiences, Leisa Bacon, shares how she's navigated the COVID-19 crisis, the milestones and adaptability it's ushered in, and what sustained lessons there are for marketers as we start to recover.

More Videos

Zero proof spiritsUsa since 2011🤪🤟


How this alcohol-free spirits brand rode the health and wellness wave

Read more

okay this a good newsmaybe i gonna try it


CMO's top 8 martech stories for the week - 9 July 2020

Read more

Very insightful. Executive leaders can let middle managers decide on the best course of action for the business and once these plans are ...


CMOs: Let middle managers lead radical innovation

Read more

One failing brand tying up with another failing brand!


Binge and The Iconic launch Inactivewear clothing line

Read more

I am 56 years old and was diagnosed with Parkinson's disease after four years of decreasing mobility to the point of having family dress ...

Nancy Tunick

The personal digital approach that's helping Vision RT ride out the crisis

Read more

Blog Posts

MYOD Dataset: Building a DAM

In my first article in this MYOD [Make Your Organisation Data-Driven] series, I articulated a one-line approach to successfully injecting data into your organisation’s DNA: Using a Dataset -> Skillset -> Mindset framework. This will take your people and processes on a journey to data actualisation.

Kshira Saagar

Group director of data science, Global Fashion Group

Business quiet? Now is the time to review your owned assets

For businesses and advertiser categories currently experiencing a slowdown in consumer activity, now is the optimal time to get started on projects that have been of high importance, but low urgency.

Olia Krivtchoun

CX discipline leader, Spark Foundry

Bottoms up: Lockdown lessons for an inverted marketing world

The effects of the coronavirus slammed the brakes on retail sales in pubs, clubs and restaurants. Fever-Tree’s Australia GM Andy Gaunt explains what they have learnt from some tricky months of trading

Andy Gaunt

General manager, Fever-Tree Australia and New Zealand

Sign in