This is page 2 of:
Epsilon Breach May Finally Force Data Handling Rule Changes—And It’s Only About Five Years Late
At a glance, it’s easy to say that these chains erred because they all chose to retain the services of this E-mail vendor. But it’s not nearly that simple. First, it’s not clear yet if Epsilon did anything reckless to allow such a breach. Second, even if it did, there are some practical issues here about how many companies can truly support the efforts—E-mail or otherwise—of this large a set of companies.
A few weeks ago, the CIO of a major brand was discussing an internal outsourcing contract issue. The situation involved a major IT blowup, a move that many within the retailer blamed on the outsourced vendor. After the smoke cleared and tempers calmed, the retailer quietly renewed the contract of this vendor. The vendor involved was one of the largest vendors in retail—with lots of marquee retail names on its customer list—and that was the key issue. Unless hard evidence of something truly reckless, illegal or malicious—the proverbial smoking gun—materialized, changing vendors couldn’t be justified.
“When it comes to running high-availability projects of this size, how many others have the experience or manpower to do it?” the CIO asked, adding that there’s never a guarantee that a different vendor wouldn’t have made the same type of screw-up. Add to that the cost of transitioning, the many months of slowdowns as the data is transferred and the practical lack of any meaningful advantage to the retailer, and it’s easy to see why these large outsourcers have staying power.
With Epsilon, the same issues crop up. What would make it worth the effort to switch E-mail marketing firms? There’s also safety in numbers. As long as Epsilon is being used by so many major retailers, it feels safe to retain the company.
What’s missing are the data security standards that would make big outsourcers places where there’s not just safety in numbers for retailers but also actual safety for customer data.
Chains are generally quite good at protecting the data that some outside entity requires them to protect, such as payment data (PCI), shareholder information (Sarbanes-Oxley) or medical data (HIPAA). Unfortunately, this has sometimes had the unintended effect of making data that is not under some legislative or industry requirements seem less critical.
How many huge breaches of such information have to happen before more chains will require internal rules protecting such data? Under those rules, third parties would be scrutinized and monitored much more closely. Are a million E-mail addresses any less valuable than payment-card numbers? What about CRM files? Lists of prescriptions? Inventory files? Supply chain records?
Of course, making the business case for meeting PCI, SarbOx and HIPAA requirements is comparatively easy. Someone else has made those rules, and there are quantifiable fines when those rules are broken. Raising the bar for security of other types of customer data will be a lot more difficult—not just because there’s no big financial stick, but because there’s no set of defined rules for a data security standard.
There’s an easy way to solve that second problem. Every retail chain already has to deal with PCI requirements, so make that the baseline for handling all customer data. That approach has the advantage of simply being an expansion of a security standard that’s already a requirement.
The hard part will be finding—and funding—a way to actually make all customer data as safe as payment-card information.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
