Loyalty Truth

What do Citi, Sony, Michael’s, Epsilon, and 4 leading Australian banks have in common?

The answer is globalization – of consumer data intrusion – that is.

Most everyone is aware of the steady stream of data breaches perpetrated this year against high profile brands, and some sources have counted over 150 major breaches in the U.S. alone. The two highest-profile might be the intrusion and alleged theft of customer data from numerous Epsilon clients and Sony Playstation users, but the Citi incident was significant as well.

I’ve maintained a theory that data security will be the next differentiating field of play, not just for Loyalty Marketing, but for the broader database marketing industry. The frequency of announcements that we’ve seen during 2011 validates the growing problem.

Although data security has been a concern for over a decade, a move to adopt industry standards began in the 2005 time frame. The top tier of suppliers invested in obtaining PCI Compliance and SAS Type I and II certificates, and for a brief period the industry developed into a “have and have not” landscape. Smaller suppliers could not afford the six-figure investment needed to obtain the certifications, and were forced to make a business decision regarding the impact on their customer base by not having it.

The need for data security certification became overwhelming soon thereafter, and today I would say that PCI compliance is a “must have” in order to compete for business from top brands in North America. Now, the bar must be raised.

I read this statement in an article this week on Supermarket News discussing lessons learned from a 2007 intrusion at Hannaford Bros.: “Compliance with the five-year-old Payment Card Industry (PCI) Data Security Standard – Hannaford was PCI-compliant – proved not a sufficient defense against malware that could pilfer moving card data.”

If PCI isn’t enough, what is? To get the answers, I sought out the opinions of a seasoned practitioner fighting cyber crime and had an interview with Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC.

Alan exploded one myth that I had believed about data breaches – that hackers might one day sweep money on large scale from a portfolio of checking or savings accounts at a bank. “It won’t happen that way”, he shared, “the hackers prefer to creep in and instigate small charges that can be perpetuated for a sustainable time without sounding the alarms of the corporate watchdogs.” Apparently an innocent “service charge” appears and the game for the hackers is based on volume and time.

While such direct fraud damage may be significant enough, a host of indirect costs can further devastate a breached firm. Alan reminded me that the attack on TJMaxx a few years back ultimately cost the firm over $300 Million, and Sony’s disclosed cost to date is in excess of $171 Million. Alan told me that “the costs are an aggregate of IT hardware remediation and repair, legal fees and customer notification, and do not include fines and longer term remediation.” In other words, the cumulative cost to business can be enormous.

Like other types of fraud, managers need to look internally to ensure that associates are not part of the problem. There is strong suspicion that the intrusion at Michael’s retail stores was an inside job. The hackers don’t want to be found out and hedge their risk by claiming a few pennies here and there, not unlike the scheme illustrated in the movie “Office Space”.

The risk to brands is hard to quantify. How do you put a price on loss of customer loyalty, goodwill, and trust? The cost of class action suits, fines from state authorities, and customer notification is more easily projected, but think about large scale loss of customers who say “I’m not going to shop “there” anymore or “I’m not going to use my debit card anymore” and the threat comes into full perspective.

Alan validated the Supermarket News statement in my interview, saying that “organizations must work ahead of the game to establish a defensible security position” and that “PCI is not enough anymore, firms must create and maintain a Written Information Security Plan (WISP) to place themselves in an accountable and defensible position, should a breach occur”.

The game has changed again, and all marketers who collect, manage, and maintain consumer data should be re-orienting their view towards security “standards”. I just scratched the surface in my conversation with Alan and we all need to go deeper.

Your brand affinity and customer trust may just depend on it.