It’s not just if a data breach happens that matters to consumers, it’s how marketers deal with it when it does. Media attention on consumer protection and Heartbleed security flaws may frighten consumers about the safety of their personal data. So data breaches aren’t just business security issues, they’re also about consumer trust in our brands and in our marketing.
A sad fact of our time is that every company is at real risk for criminal data breaches. Nearly every aspect of our society has been hacked, including education, business, and government. One report quoted by law firm Venable found that 621 confirmed breaches occurred in 2012 alone, and retailers represented 21.7% of network-based breach incidents.
Brands hold a fragile trust bond with people. That bond is shaken a bit now for every brand, not just those in recent high-profile cases. Marketers have a chance to be at the epicenter of corporate and brand readiness by working with legal, IT, privacy, and customer service teams.
Who better to lead the charge on readiness than the people who will be most affected in terms of business goal attainment? Marketers can step up and be the company lead on data stewardship and customer centricity–especially since it’s our processes and practices that are under attack. .
To get started, take a look at the checklist included in the newly updated Article #37 in the 2014 Ethical Business Guidelines from DMA. Some of the guidance includes:
- Should you be in a situation where you’re dealing with law enforcement, it’s important to have a published privacy and security policy, as well as documented internal processes and meaningful employee training.
- A collaborative approach must include legal, privacy, IT, your colleagues in marketing (like email, social, and digital), and even HR people. For example, the DMA guidelines now include recommendations on “BYOD”—or bring your own device”—employee training.
- Figure out the most appropriate law enforcement contact and make that part of your planning process.
- Your plan should facilitate a coordinated response that is rapid, thorough, and reasoned. Focus on notification for internal teams and external parties like customers, partners, credit card companies, and (even if not legally required) regulatory agencies and law enforcement.
- Even if Personally Identifiable Information (PII) or financial data isn’t breached, you may still be regulated and required to notify affected parties. Remember that email address can be considered PII in some situations. Check with counsel about what exactly constitutes PII in each state, and plan ahead for your notification business rules. You may decide for business purposes to notify more people than legally required, for example.
These situations are regulated. However, it’s important to note that 47 states have breach notification laws, each with their own requirements. The rules will apply not just to the business location, but also to the location of the people affected and/or the data affected. Be sure that you have your requirements up to date.
When a data breach happens, a lot will be going on at once, in addition to your daily activities. These new emergency activities range from call center training and PR to law enforcement cooperation and research on relevant elements. The plan you create will be your blueprint for action, especially in the first crucial 72 hours. It’s also a good idea to test your plan with a mock crisis situation. Better to know now where the holes are than to find them out when the pressure is on.
This plan development and testing takes a financial commitment. It will include legal fees, as well as employee time and research. You may need to update your various security certifications or practices. However, the financial cost of a data breach in 2012 was estimated to be $5.4 million, according to Venable. That doesn’t necessarily count the costs of recovering brand reputation and consumer goodwill, as well as any regulatory investigations—even if there isn’t litigation.
Consumer trust is at risk, even if your company isn’t breached. DMA accepts tens of thousands of consumer complaints a year about marketing practices, most of which are around choices offered via our consumers services like DMAChoice.org (opt out for direct mail) and AboutAds.info (opt out for behavioral advertising). However, recently, complaints about phishing and malware have increased, which the DMA sees as reflective of heightened levels of consumer anxiety and unease. Anxious customers aren’t happy customers.
Are you taking the lead role in planning readiness for your own company? Comment below on what resources you need to be successful.
| Stephanie Miller is VP of member relations and chief listening officer at the Direct Marketing Association. She is a relentless customer advocate and a champion for marketers creating memorable online experiences. A digital marketing expert, she helps responsible data-driven marketers connect with the people, resources, and ideas they need to optimize response and revenue. |
