Do You Think Of Consumers When It Comes To Data Security Policies And Controls?

Your customers are consumers too. They don’t turn into business bots when they set foot in the enterprise. Whether your organization sells a product or a service to enterprises or consumers, you’re interfacing with consumers who have opinions about security and privacy. S&R pros, you already know that you have to be on top of things like regulatory compliance (Hello HIPAA! Hi EU Data Protection Directive!) when creating policies and implementing controls. But what about consumer perceptions and behavior? Consider that*:

  • 49% of US online consumers are concerned about security and privacy when purchasing products online
  • 44% of EU online consumers say the same about sharing personal information to access a website
  • 39% of US online consumers express security and privacy concerns over sharing personal information to participate on a website (e.g, discussion boards, writing reviews)
  • 20% of EU online consumers are concerned about their security and privacy when downloading apps to their mobile phone

These concerns bring up questions like: Is your organization collecting more information than is necessary from your customers? What is done with this data? At what point does old data get disposed? What does your company’s app do exactly? And does the app’s privacy policy really reflect true app behavior?

These and other concerns apply regardless of whether your business is B2C or B2B. It doesn’t matter if your company sells plastic flowers, provides headhunting services, or produces chemicals. You’re handling data on individuals and entities that need to be protected. A corporation is not a real person, but it sure is made up of real people who have expectations and concerns about how your company handles information relating to their organization. In the course of a business relationship, your company will amass information about this organization’s dealings with your company. This is not PII per se, but sensitive information nonetheless.

S&R pros: to address these concerns and create deeper alignment with the business, start by aligning yourself with your customer. Your peers in marketing are already making moves to put the customer at the center of the customer life cycle, and this will have implications for technology, processes, and relevant data security and control policies that will come within your domain. Get ready, and get ahead; align data priorities and jointly justify needed investments to boot.

S&R pros, what are you doing to engage with your business peers and align priorities? What’s worked for you – and what hasn’t? I’d love to hear about your thoughts and experiences here.  


*Data source: Forrester’s North American Technographics Online Benchmark Survey, Q3 2012; European Technographics Consumer Technology Online Survey, Q4 2012. This data was first published in the January 15, 2013, “Know Your Data To Create Actionable Policy”report.


Customer data vs. Employee data

As I was reading this post, the question that keeps popping into my head is the comparison between customer data and employee data. If you think of your employees as average consumers, does it mean you treat employee data differently that you do today?

Data about people is data about people

I see it all as sensitive data, whether it is customer data or employee data. If by treat differently, we mean, afford a high level of protection to employee data that may not necessarily have been there before because we did not think of employee data in such a way, then yes.

Treat employee data the same as customer data. I would extend this to information that enters an organization's hands from job applicants too -- dispose of it if it's no longer needed, and make sure it's protected if it is retained for whatever reason. Ultimately, this leads back to long term competitiveness. Employees can feel betrayed if their data is compromised, and prospective job applicants may think twice before applying.

Majority of Consumers Don't Care

Many people living outside the USA - like me - have always been amazed at the relative lack of security found in ecommerce websites in the US compared to the rest of the world. For example, I haven't come across a single leading US website asking for Verified-by-Visa or equivalent type of two-factor authentication despite FFIEC having mandated 2FA for US banks way back in 2005, and despite its widespread use in the UK, India and many other countries in the ROW for several years now. Recently, I was shocked to note that a couple of US websites didn't even ask for CVV while making a credit card payment.

This article explains why this is the case. If "49% of US online consumers are concerned about security and privacy when purchasing products online", it means that the majority don't care.

They might not care, but they may not know either

Thanks for your comments Ketharaman! Good points about the inconsistencies. Yet, I would hesitate to label the other 51% all as not caring. There is likely a subset here that really don't care, but I imagine that there is also a subset here that can also be attributed to lack of awareness if consumers are simply assuming that these transactions are secure because it is a "reputable" company or a big brand that they recognize. Or perhaps they do not know enough to identify what constitutes elements of a secure transaction (this then opens up a whole other can of worms of whether consumers should even have to know), and again are just assuming that the company they are purchasing from has already taken such precautions.

What About The Regulators?

@HeidiS: I agree but I don't think ROW consumers are necessarily more aware about security than the US ones. 2FA and other heightened security measures in ROW are largely due to regulatory intervention. Maybe it's due to the "less government, less regulation" principle or whatever, but I've always wondered why regulators haven't stepped in to enforce tighter security for ecommerce in the US.

Regulators Go with Risk

Ketharaman, regulators see the greatest risk to eCommerce as banking risk.

Regulators in the US spend time ensuring bank security is compliant to regulation. In order for the banks to meet their regulatory requirements, they have to ensure a high level of security for both internal and external users. Credit card companies have a business incentive to be sure fraud is limited as they are liable for replacing the funds (hence, PCI DDS). It seems like a "trickle down" security strategy, but there are limited regulatory assurance capabilities and a large number of banks.

Also, some banks have started redirecting customers to their banking site if they pay online without the CVV. Banks are taking it upon themselves to ensure more stringent authentication methods where the eCommerce companies fail.