Gary Davis, chief security evangelist for McAfee, speaks at the Marketing Kingdom Canada conference in Vancouver
Companies can take several steps to avoid the potentially disastrous fallout from a data breach that exposes clients’ private information
The more information you have about your customers, the better, right? Guess again. As attendees heard at the recent Marketing Kingdom Canada conference in Vancouver, cybercriminals are working overtime to steal that data. If you’re overzealous about collecting client information, a privacy breach could mean big trouble for your business.
BCBusiness was a media partner of the two-day Marketing Kingdom Canada, whose guest speakers included representatives of brands such as Lego Systems, Microsoft Corp. and Starbucks Corp. This marks the first North American debut of the conference series, which was launched by Macedonia-based P World in Zagreb, Croatia, in 2011 and has since held gatherings in 15 countries.
Gary Davis, chief consumer security evangelist and vice-president, global consumer marketing, with U.S. cybersecurity software maker McAfee, offered some advice for companies looking to balance data collection with respect for their customers’ privacy.
For starters, you can expect the problem to get worse. “Year-over-year, we see a 38-percent increase in cyberattacks,” Davis said. “A lot of these cyberattacks deal with the access of consumer information and make that consumer information available on the dark web.”
It’s understandable that marketing departments want to collect better data about customers and prospects, Davis observed. “The more data we have, the better we understand what is the right offer at the right time to the right consumer on the right platform,” he said. “But there’s consequences of that. The more data you have, the more likely that something could go wrong with that data.”
The worst-case scenario, according to Davis? When your company is breached and “you realize the information you’re collecting goes way beyond anything that consumers knew you were collecting, that’s where things get really ugly.”
Data is forever
The stakes are high. In 2017 alone, 2.5 billion records were breached, said Davis, who reckons that criminals expose about 4,000 every minute. “Why are these bad guys spending so much time trying to get access to data?” he asked. “The value of that data is worth 10 times more than a breached credit card.”
As Davis pointed out, credit card companies have become expert at quickly detecting fraud. “The life of a credit card is very, very small,” he said. “But the data that these bad guys are trying to collect from your data stores lasts forever and is very rich.”
If you’re a victim of cyberattack that has been made public, it will cost you about US$150 per record to put things right by taking steps such as providing monitoring for affected customers, Davis said. And if you’re a small to medium-sized business, there’s a strong chance a data breach will take you down, he maintained. “You can expect your reputation to be harmed for about a year, if you can come back at all.”
Coke isn’t it
Last year McAfee asked about 1,200 North American consumers which companies they trusted with personal information such as sex, address and marital status. “What surprised me was nobody trusts Coke,” Davis said. Just 7 percent of respondents gave the soft-drinks giant a thumbs-up, versus 14 percent for Facebook, 19 percent for Google, 23 percent for Costco and 25 percent for Apple.
“Four or five months ago, sure enough, Coke was breached,” Davis added. “It wasn’t necessarily data about consumers, but all the personal data about everybody who works at Coca-Cola was all of a sudden exposed.”
What didn’t surprise Davis: the most-trusted companies. “If you do privacy well—you should make it your mission to make sure you collect just the right information you need to deliver your products and services—and you use privacy as a differentiator, you can make more money,” he said. “[Apple] have spent their entire livelihood talking about how much they protect the private information of consumers.”
The high price of mistrust
With the Washington-based National Cybersecurity Society, McAfee also surveyed consumers about what kinds of things they avoid if they don’t trust a brand. Fifty-one percent said they don’t click on the company’s online ads “because they don’t think you keep their information private,” Davis noted.
Meanwhile, 44 percent of respondents said they withheld personal information. “So even if they click on the ad and they may have gotten to a shopping cart, they actually opted not to give you much information because they didn’t trust you to keep that private information private,” Davis explained. “Think of how much you spend on trying to get somebody to come to your website or your portal to buy your good or service.”
Thirty-six percent said they decided to stop using the company’s website, Davis revealed: “They went there a couple of times and then they determined, for whatever reason, they just don’t trust you with whatever information you’re asking for.”
6 steps for doing privacy better
With those sobering numbers in mind, Davis offered a few tips for businesses that want to avoid alienating customers and setting themselves up for costly legal woes.
Only collect what you need
Davis cautioned against collecting unnecessary information. “If you wake up one day and your data’s been exposed, you’re going to regret having all that data,” he said. Litigation against companies that have been breached isn’t usually about the breach itself, because they had proper security controls, Davis explained. “It really came down to the fact that they were not doing what they were saying; they were collecting more information than they claimed.”
“Be mindful of what’s going on in the space,” Davis said. “You’ve got to use that information to make informed decisions.”
Use privacy as a differentiator
“Don’t try to use privacy as a differentiator if you suck at it,” Davis said. “If you’re not being transparent, if you’re collecting way more data than you say you are, if you’re not using best practices to protect that data, then don’t say you’re good at keeping data private. But if you are, use it as a differentiator. Your company will benefit.”
“Spend the time to be transparent with your consumers so when they engage with your service, they know what you’re doing and they’re OK with it.”
Plan for the worst
Although privacy breaches don’t call for crisis communications in the traditional sense, get ready for them, Davis advised. “I don’t want to be the naysayer here, but plan for something bad to happen.”
Use simple language to describe use of consumer information
Companies like to bury the details of their privacy policies, Davis noted. “Don’t do that,” he said, pointing to Google’s move over the past year to become highly transparent about what data it collects, where that information is housed and how it will be used. “The simpler you can make it, the more consumers are going to embrace your brand.”