Ashley Madison is a wake-up call for all marketers on data retention

Jodie Sangster

Jodie Sangster has been the CEO of the Association for Data-driven Marketing and Advertising (ADMA) since 2011 and is also chairperson for the International Federation of Direct Marketing Associations (IFDMA). She has worked across the US, Europe and Asia-Pacific for 14 years with a focus on data-driven marketing and privacy, and began her career as a lawyer in London specialising in data protection. Her resume includes senior positions at Acxiom Asia-Pacific and the Direct Marketing Association in New York.

The recent Ashley Madison hack is a wake-up call not only for consumers, but also for marketers and companies – many of which still do not take their customers’ privacy or data security seriously enough.

There have been other, bigger, high-profile data breaches. But somehow they have seemed more remote and perhaps the consequences not so bad. For example, replacing a credit card is inconvenient and annoying, but not the end of the world.

But the hack of a website that encourages users to indulge in extramarital affairs and which revealed the email addresses, personal details and preferences of that site’s 36 million users, is more devastating. Stories abound of users getting divorced and careers/jobs compromised.

As for the Canada-based company, it’s hard to see how it will regain the trust of its customers and remain in business, especially with a tsunami of legal action headed its way. In the meantime, acting Australian Information Commissioner, Timothy Pilgrim, has announced a joint investigation with the Office of the Privacy Commissioner of Canada into the breach.

Lessons to be learnt

If ever there was an alarm bell for marketers, this is it. To that end, there are four lessons to keep in mind from the hack.

First, consumer data is a company’s most valuable asset and, as a result, requires the appropriate level of protection and care.

Second, the Ashley Madison hack is a reminder, as a start, to only collect and keep the customer data you need, protect it while it’s held, and then delete it when it’s no longer needed. The law also requires that companies tell consumers how their data will be handled, secured and stored and to allow consumers access to it. If a breach occurs, the Privacy Commissioner can issue fines of up to $1.8 million per data breach.

Ashley Madison had a lot of personal data it didn’t need, including names and email addresses of people no longer using its services or who had signed up, but not actually used the service. But the repercussions for everyone caught in the breach, whether innocent or guilty, were huge.

Third, the level of data security you apply must be commensurate with the data held. In other words, the level of security in place should reflect the potential risk and damage to consumers should that information be inappropriately accessed.

Fourth, all businesses need to think about the consequences of a data breach and what could happen. It’s always dangerous to think you aren’t going to be a target for hackers. Data is a valuable commodity for many. Also keep in mind that some hackers aren’t hacking to obtain data, but as a challenge to business – to simply prove they can hack where they like, when they like.

To be as safe as possible, organisations should be regularly reviewing how they store, manage and secure their data for any potential issues. That means changing passwords regularly, providing ongoing security training to staff, updating operating systems, firewalls, encryption and antivirus software, and ensuring only certain staff can access data.

Many companies think protection only applies to databases. But there are other best practice measures that should be followed. For example, physical data should be secured. Importantly, if you allow staff to bring their own laptops or devices to work, make sure you have robust protections in place and encrypt personal data. You’d be surprised at how often people walk out of the office with a laptop that doesn’t have passwords or encryption, and it gets left behind on a bus or in a taxi.

Companies also need to have a crisis plan in place if they’re hacked. This could include shutting down systems quickly and having processes in place to inform consumers and the authorities about the hack. The majority of companies don’t have a plan and that’s a concern.

Hacking is a crime and an element of business life we need to protect ourselves against. Companies have a role to play in securing consumer data to a high standard and consumers need to protect themselves by thinking through what personal information they will share with companies. The Ashley Madison hack is the quintessential example of a company and consumers not thinking through the consequences of their data being hacked and made public.

New data retention laws

On another matter, obligations under the new data retention laws came into effect 13 October 2015 and we’ve had a few calls from retailers and businesses in the lead up asking about any obligations arising from the new laws.

The answer is the new data retention laws only apply to telecommunication companies and Internet service providers – about 300 companies in total. In a nutshell, these organisations will be required to retain information about people’s telecommunications and online usage.

Retention periods fall into two categories. Some data must be stored for a two-year period, to help law enforcement and intelligence organisations in investigating criminal and national security threats. It must also be encrypted and protected from unauthorised interference or access. In other cases, information must be retained for the life of the account plus an additional two years when the account is closed.

There is controversy as the new laws require retention of metadata, which has been left vague and open to interpretation. There is no definition of metadata in the legislation though there is some indication of what is and isn’t included.

Generally, it will include subscriber or account holder names, addresses, date of birth, financial and billing information; traffic data such as numbers called and texted, as well as times and dates of communications; a user’s IP address and type/location of communication equipment.

Metadata does not include content such as the content of emails, SMS, Web browsing history or social media (at least in Australia in the latter case).Where there is a need to access the actual content of communications a warrant is needed. Similarly, a warrant will be required to access journalists’ metadata in order to identify a source.

Cost is also a concern. Implementation of the new data retention scheme has been estimated to cost between $189 million to $319 million, according to the government-commissioned report from PricewaterhouseCoopers. Despite this, only $131 million was allocated for the Government’s contribution in the 2015 budget, with an additional $10.6 million dollars over four years to support the role of various government departments and $6.7 million over four years to fund oversight of the scheme by the Commonwealth Ombudsman. The shortfall will have to be met by business, and ultimately, consumers.

Tags: digital marketing, data-driven marketing

Show Comments

Featured Whitepapers

State of the CMO 2019

CMO’s State of the CMO is an annual industry research initiative aimed at understanding how ...

More whitepapers

Blog Posts

Taking performance cues from east Asian markets

As the ‘Asian century’ becomes ever more prevalent and the Fourth Industrial Revolution gathers speed, marketers are having to surf a tidal wave of creative destruction. The choice is stark: Embrace change, or resign yourself to a Darwinian fate.

Dr Chris Baumann

Associate professor, Macquarie University

Searching for social and marketing data

Many marketers, agencies - and everyone in between - get caught up on bubble references and data points. They’ll use Facebook best practice as the only best practice for Facebook executions and only consider metrics and responses of the one channel they’re expected to deliver on.

Isaac Lai

Connections strategy lead, VMLY&R Sydney

Why Australia needs more leaders

A few weeks ago, our Prime Minister, Scott Morrison took it upon himself to tell companies and their CEOs where to go when it came to societal issues. It wasn’t an organisation’s place to get involved. Instead, he said it should be left to governments to solve societies challenges.

Dan Banyard

Managing director, Edentify

Congratulations! So good to see a business turnaround with a good omni channel email lead

Anthony Idle

How Total Tools overhauled its omnichannel marketing

Read more

Well, you can always improve your service. Your customers will appreciate your efforts.

Mike Thompson

Report: Australian customer experience good but not great

Read more

Thanks for sharing! Terracotta Jewellery Online Shopping Ethnic Jewellery Online Shopping

Cotton Sarees Online

How data is driving the customers of a lifetime for BaubleBar

Read more

Informative blog. Xero is a well-known revolutionized accounting software, specifically developed to provide best User Experience and mak...


Xero evolves to fit a changing marketplace

Read more

>Writes article about how to show diversity in an authentic way>All featured opinions are from white women

Jennifer Metcalfe

Food for Thought: How can brands show diversity in an authentic way?

Read more

Latest Podcast

More podcasts

Sign in