The recent Ashley Madison hack is a wake-up call not only for consumers, but also for marketers and companies – many of which still do not take their customers’ privacy or data security seriously enough.
There have been other, bigger, high-profile data breaches. But somehow they have seemed more remote and perhaps the consequences not so bad. For example, replacing a credit card is inconvenient and annoying, but not the end of the world.
But the hack of a website that encourages users to indulge in extramarital affairs and which revealed the email addresses, personal details and preferences of that site’s 36 million users, is more devastating. Stories abound of users getting divorced and careers/jobs compromised.
As for the Canada-based company, it’s hard to see how it will regain the trust of its customers and remain in business, especially with a tsunami of legal action headed its way. In the meantime, acting Australian Information Commissioner, Timothy Pilgrim, has announced a joint investigation with the Office of the Privacy Commissioner of Canada into the breach.
Lessons to be learnt
If ever there was an alarm bell for marketers, this is it. To that end, there are four lessons to keep in mind from the hack.
First, consumer data is a company’s most valuable asset and, as a result, requires the appropriate level of protection and care.
Second, the Ashley Madison hack is a reminder, as a start, to only collect and keep the customer data you need, protect it while it’s held, and then delete it when it’s no longer needed. The law also requires that companies tell consumers how their data will be handled, secured and stored and to allow consumers access to it. If a breach occurs, the Privacy Commissioner can issue fines of up to $1.8 million per data breach.
Ashley Madison had a lot of personal data it didn’t need, including names and email addresses of people no longer using its services or who had signed up, but not actually used the service. But the repercussions for everyone caught in the breach, whether innocent or guilty, were huge.
Third, the level of data security you apply must be commensurate with the data held. In other words, the level of security in place should reflect the potential risk and damage to consumers should that information be inappropriately accessed.
Fourth, all businesses need to think about the consequences of a data breach and what could happen. It’s always dangerous to think you aren’t going to be a target for hackers. Data is a valuable commodity for many. Also keep in mind that some hackers aren’t hacking to obtain data, but as a challenge to business – to simply prove they can hack where they like, when they like.
To be as safe as possible, organisations should be regularly reviewing how they store, manage and secure their data for any potential issues. That means changing passwords regularly, providing ongoing security training to staff, updating operating systems, firewalls, encryption and antivirus software, and ensuring only certain staff can access data.
Many companies think protection only applies to databases. But there are other best practice measures that should be followed. For example, physical data should be secured. Importantly, if you allow staff to bring their own laptops or devices to work, make sure you have robust protections in place and encrypt personal data. You’d be surprised at how often people walk out of the office with a laptop that doesn’t have passwords or encryption, and it gets left behind on a bus or in a taxi.
Companies also need to have a crisis plan in place if they’re hacked. This could include shutting down systems quickly and having processes in place to inform consumers and the authorities about the hack. The majority of companies don’t have a plan and that’s a concern.
Hacking is a crime and an element of business life we need to protect ourselves against. Companies have a role to play in securing consumer data to a high standard and consumers need to protect themselves by thinking through what personal information they will share with companies. The Ashley Madison hack is the quintessential example of a company and consumers not thinking through the consequences of their data being hacked and made public.
New data retention laws
On another matter, obligations under the new data retention laws came into effect 13 October 2015 and we’ve had a few calls from retailers and businesses in the lead up asking about any obligations arising from the new laws.
The answer is the new data retention laws only apply to telecommunication companies and Internet service providers – about 300 companies in total. In a nutshell, these organisations will be required to retain information about people’s telecommunications and online usage.
Retention periods fall into two categories. Some data must be stored for a two-year period, to help law enforcement and intelligence organisations in investigating criminal and national security threats. It must also be encrypted and protected from unauthorised interference or access. In other cases, information must be retained for the life of the account plus an additional two years when the account is closed.
There is controversy as the new laws require retention of metadata, which has been left vague and open to interpretation. There is no definition of metadata in the legislation though there is some indication of what is and isn’t included.
Generally, it will include subscriber or account holder names, addresses, date of birth, financial and billing information; traffic data such as numbers called and texted, as well as times and dates of communications; a user’s IP address and type/location of communication equipment.
Metadata does not include content such as the content of emails, SMS, Web browsing history or social media (at least in Australia in the latter case).Where there is a need to access the actual content of communications a warrant is needed. Similarly, a warrant will be required to access journalists’ metadata in order to identify a source.
Cost is also a concern. Implementation of the new data retention scheme has been estimated to cost between $189 million to $319 million, according to the government-commissioned report from PricewaterhouseCoopers. Despite this, only $131 million was allocated for the Government’s contribution in the 2015 budget, with an additional $10.6 million dollars over four years to support the role of various government departments and $6.7 million over four years to fund oversight of the scheme by the Commonwealth Ombudsman. The shortfall will have to be met by business, and ultimately, consumers.
As our customers exhibit growing desire to be recognised for their preferences and passion points, ...
In the third and final episode of our 3-part CMO50 video series exploring modern marketing and why it’s become a matter of trust, we’re delighted to be joined by Telstra’s former CMO and now digital services and sales executive, Jeremy Nicholas, and Adobe VP Marketing Asia-Pacific and Japan, Duncan Egan.
Flash back to the classic film, Willy Wonka and the Chocolate Factory. Television-obsessed Mike insists on becoming the first person to be ‘sent by Wonkavision’, dematerialising on one end, pixel by pixel, and materialising in another space. His cinematic dreams are realised thanks to rash decisions as he is shrunken down to fit the digital universe, followed by a trip to the taffy puller to return to normal size.
Why is it there is no shortage of leadership development materials, yet outstanding leadership is so rare? Despite having access to so many leadership principles, tools, systems and processes, why is it so hard to develop and improve as a leader?
As a nation united by sport, brands are beginning to learn money alone won’t talk without aligned values and action. If recent events with major leagues and their players have shown us anything, it’s the next generation of athletes are standing by what they believe in – and they won’t let their values be superseded by money.
