Posted by Dave Frankland on April 4, 2011
On April 1, 2011, Epsilon announced that it had detected an unauthorized entry into its email system, and that, as a result, a subset of its email clients’ customer data was exposed to an external party. The company indicates that the information was limited to email addresses and/or customer names only. The company is also limited in the information that it can share due to an ongoing investigation.
Epsilon plays in the “permission email” game — it is a legitimate player and certainly not a spammer. It has big and significant email customers — this weekend, I received emails from Disney, Best Buy, and Brookstone, and I’ve read about other notifications from Chase, Citigroup, Barclays, and Kroger. On the one hand, some of the press headlines would lead to a big shoulder shrug — the fact that a spammer might now have my name as well as my email address really doesn’t raise that much concern for me.
But I like to think I’m relatively tech savvy. What about others that might receive an email — addressed correctly apparently from a marketer that they trust that asks for more information or asks for them to take specific action? The emails that I’ve seen from the companies above have been well written and designed to offset some of that concern.
My bigger question is the long-term impact for marketers and service providers. Specifically:
- Consumer trust in major brands will take a hit. Few of the people that received messages over the past few days from their banks, travel companies, or retail outlets will have heard of Epsilon previously. Instead it is the brands that are communicating with consumers — with whom the consumer has the relationship — that will suffer a damaged reputation. Consumers will surely start to wonder if they can’t trust these firms with their email addresses — is it really that smart to trust them with their credit card data, or with their mortgage! Marketers should plan to measure and monitor consumers' perception of this concern and should recognize that working with an external provider to support email initiatives may have a major impact on consumer trust and the company’s brand.
- The entire CI ecosystem will be impacted. Epsilon is a very strong player in the CI arena. And this isn’t an Epsilon-only concern — any company that is privileged to manage the information that a company maintains about its customers should be paying attention. When we have concern about billion dollar companies struggling to maintain a lid on their customers' data, how much can we expect from startups and tier-two providers?
- The security of the cloud will be scrutinized. Software-as-a-service products are especially attractive to interactive marketers, and many data providers have begun to explore the opportunity of hosting customer data where it lies, making it accessible to relevant parties to access and leverage in real time. Accessing email addresses may be relatively innocuous, but it’s only a matter of time until someone gains unauthorized access to much more interesting data — data that we would wish they couldn’t access. This brings into question, is multi-tenant deployment model the best way to handle customer data given that one breach gives the perpetrator potential access to a wealth of data?
- Data security legislation will be considered. This is just the latest in a long line of data leaks and breaches. And while legislation such as Do Not Track is garnering the headlines, data security is in many respects a much easier legislative issue to pass — it’s hard to argue against a requirement that companies protect the data that they capture about their customers.
- Financial liability will be re-examined. What happens when a bunch of customers suddenly unsubscribe from receiving emails from companies because they no longer trust them? Can companies claim that their service provider was negligent and therefore liable? How can the financial impact be calculated? Expect there to be even more questions about liability and security moving forward.
This breach should be a wakeup call for the industry. MSPs and ESPs should recognize that they’ve dodged a bullet. Email addresses and names are probably the least concerning things that external, unauthorized parties could have accessed from a company such as Epsilon. This could have been much, much worse. Even if Epsilon isn’t your provider, engage your security and risk colleagues, and relentlessly dig into what your providers are doing to ensure the safety of your data — and what they are doing to make sure their answer remains current.