Ashley Madison is a wake-up call for all marketers on data retention

Jodie Sangster

Jodie Sangster has been the CEO of the Association for Data-driven Marketing and Advertising (ADMA) since 2011 and is also chairperson for the International Federation of Direct Marketing Associations (IFDMA). She has worked across the US, Europe and Asia-Pacific for 14 years with a focus on data-driven marketing and privacy, and began her career as a lawyer in London specialising in data protection. Her resume includes senior positions at Acxiom Asia-Pacific and the Direct Marketing Association in New York.

The recent Ashley Madison hack is a wake-up call not only for consumers, but also for marketers and companies – many of which still do not take their customers’ privacy or data security seriously enough.

There have been other, bigger, high-profile data breaches. But somehow they have seemed more remote and perhaps the consequences not so bad. For example, replacing a credit card is inconvenient and annoying, but not the end of the world.

But the hack of a website that encourages users to indulge in extramarital affairs and which revealed the email addresses, personal details and preferences of that site’s 36 million users, is more devastating. Stories abound of users getting divorced and careers/jobs compromised.

As for the Canada-based company, it’s hard to see how it will regain the trust of its customers and remain in business, especially with a tsunami of legal action headed its way. In the meantime, acting Australian Information Commissioner, Timothy Pilgrim, has announced a joint investigation with the Office of the Privacy Commissioner of Canada into the breach.

Lessons to be learnt

If ever there was an alarm bell for marketers, this is it. To that end, there are four lessons to keep in mind from the hack.

First, consumer data is a company’s most valuable asset and, as a result, requires the appropriate level of protection and care.

Second, the Ashley Madison hack is a reminder, as a start, to only collect and keep the customer data you need, protect it while it’s held, and then delete it when it’s no longer needed. The law also requires that companies tell consumers how their data will be handled, secured and stored and to allow consumers access to it. If a breach occurs, the Privacy Commissioner can issue fines of up to $1.8 million per data breach.

Ashley Madison had a lot of personal data it didn’t need, including names and email addresses of people no longer using its services or who had signed up, but not actually used the service. But the repercussions for everyone caught in the breach, whether innocent or guilty, were huge.

Third, the level of data security you apply must be commensurate with the data held. In other words, the level of security in place should reflect the potential risk and damage to consumers should that information be inappropriately accessed.

Fourth, all businesses need to think about the consequences of a data breach and what could happen. It’s always dangerous to think you aren’t going to be a target for hackers. Data is a valuable commodity for many. Also keep in mind that some hackers aren’t hacking to obtain data, but as a challenge to business – to simply prove they can hack where they like, when they like.

To be as safe as possible, organisations should be regularly reviewing how they store, manage and secure their data for any potential issues. That means changing passwords regularly, providing ongoing security training to staff, updating operating systems, firewalls, encryption and antivirus software, and ensuring only certain staff can access data.

Many companies think protection only applies to databases. But there are other best practice measures that should be followed. For example, physical data should be secured. Importantly, if you allow staff to bring their own laptops or devices to work, make sure you have robust protections in place and encrypt personal data. You’d be surprised at how often people walk out of the office with a laptop that doesn’t have passwords or encryption, and it gets left behind on a bus or in a taxi.

Companies also need to have a crisis plan in place if they’re hacked. This could include shutting down systems quickly and having processes in place to inform consumers and the authorities about the hack. The majority of companies don’t have a plan and that’s a concern.

Hacking is a crime and an element of business life we need to protect ourselves against. Companies have a role to play in securing consumer data to a high standard and consumers need to protect themselves by thinking through what personal information they will share with companies. The Ashley Madison hack is the quintessential example of a company and consumers not thinking through the consequences of their data being hacked and made public.

New data retention laws

On another matter, obligations under the new data retention laws came into effect 13 October 2015 and we’ve had a few calls from retailers and businesses in the lead up asking about any obligations arising from the new laws.

The answer is the new data retention laws only apply to telecommunication companies and Internet service providers – about 300 companies in total. In a nutshell, these organisations will be required to retain information about people’s telecommunications and online usage.

Retention periods fall into two categories. Some data must be stored for a two-year period, to help law enforcement and intelligence organisations in investigating criminal and national security threats. It must also be encrypted and protected from unauthorised interference or access. In other cases, information must be retained for the life of the account plus an additional two years when the account is closed.

There is controversy as the new laws require retention of metadata, which has been left vague and open to interpretation. There is no definition of metadata in the legislation though there is some indication of what is and isn’t included.

Generally, it will include subscriber or account holder names, addresses, date of birth, financial and billing information; traffic data such as numbers called and texted, as well as times and dates of communications; a user’s IP address and type/location of communication equipment.

Metadata does not include content such as the content of emails, SMS, Web browsing history or social media (at least in Australia in the latter case).Where there is a need to access the actual content of communications a warrant is needed. Similarly, a warrant will be required to access journalists’ metadata in order to identify a source.

Cost is also a concern. Implementation of the new data retention scheme has been estimated to cost between $189 million to $319 million, according to the government-commissioned report from PricewaterhouseCoopers. Despite this, only $131 million was allocated for the Government’s contribution in the 2015 budget, with an additional $10.6 million dollars over four years to support the role of various government departments and $6.7 million over four years to fund oversight of the scheme by the Commonwealth Ombudsman. The shortfall will have to be met by business, and ultimately, consumers.

Tags: digital marketing, data-driven marketing, marketing strategy

Show Comments

Featured Whitepapers

State of the CMO 2019

CMO’s State of the CMO is an annual industry research initiative aimed at understanding how ...

More whitepapers

Blog Posts

Does your brand need a personality review?

There are five tell-tale signs your brand needs to take a long hard look at itself.

Charlie Rose

Senior Strategy Consultant, Principals

How to create profitable pricing

How do we price goods and services? As business leaders, we have asked ourselves this question since the history of trading.

Lee Naylor

Managing partner, The Leading Edge

Sport and sponsorship: The value of event sponsorship

Australia’s cricketers captured the nation’s attention during their recent run to the semi-final of the ICC Men’s World Cup. While the tournament ultimately ended in defeat, for over a month it provoked a sense of belonging, hope and empowerment for millions of people across Australia. Cricket, and sport in general, has a near-unique ability to empower individuals, irrelevant of their background, demographic or nationality.

Nikhil Arora

Vice-president and managing director, GoDaddy India

I should check these guidelines. I think it's important for me. Thanks for the info!

Juana Morales

IAB releases social media comment moderation guidelines

Read more

I didn't know about that. Thanks!

Jamison Herrmann

Twitter 'recap' helps you catch up with missed tweets

Read more


Max Polding

What it takes to turnaround an iconic Australian brand

Read more

I spend a lot of time in my professional life as a provider of marketing solutions trying to persuade customers that CX, UX, UI and Custo...


Gartner VP: Why CMOs and CIOs must band together to make CX a discipline

Read more

I live the best deals at LA Police Gear.

Tyrus Rechs

6 Ways to ramp up Social Media to Your Web Design

Read more

Latest Podcast

More podcasts

Sign in