The marketing team of the dating app Coffee Meets Bagel spent Valentine’s Day living out their worst nightmare. They reported a breach of data belonging to about 6 million users. Attacks like this create several issues for brands, including a loss of customers, brand trust and money.
In the aftermath of a breach, a marketing team should look at their email deliverability. The FTC has a protocol for brands to follow as they respond to a data breach, which includes reporting the attack to those impacted by it. The first hours after a breach are an important time for brands to work with mailbox providers (MBPs) and email service providers (ESPs) to prevent reputation damage.
Most email marketing teams know they should only be sending messages to their active and engaged subscribers. However, when it comes to breach reporting, this best practice might get pushed to the side. All 50 states have some form of mandatory breach notification requirements, ranging from 30 days in Colorado and Florida, to 45 or 60 days in most other states.
These requirements include notifying all individuals impacted by the breach and oftentimes notifying the legislators as well. As a result of these requirements, email marketing teams will now need to deal with the impact of mailing to unsubscribed, old, suppressed, and inactive users. Unfortunately, the unavoidable spike in undeliverable emails and messages reported as spam will result in a negative impact on a brand’s email reputation.
Following a data breach, the required reporting can be done through other channels beyond email. Although email is the fastest and most affordable in the short-term, it’s beneficial to consider other options like postal mail for higher-risk victims. It’s best to segment by the level of risk to identify who should be notified by email and reach out to the most engaged segments first.
With a breach also comes legal ramifications. These often arise during the notification process, when communicating with former or opted-out subscribers. There are laws in place like CAN-SPAM and CASL allowing users to send notification emails in this situation, but there are requirements regarding the content of the message.
In order to comply, stick to the facts and avoid promotional content. Newer laws like the California Consumer Privacy Act (CCPA) also include a limited private right of action for certain data breaches, specifically in areas where insufficient security was used to protect the impacted data, as compared to recent protections added to the Ohio data breach laws (OH SB220), where companies with adequate security could be spared litigation.
As brands consider the potential threat of breaches, there are actions they can take to ward off the threat off breaches and, should one occur, handle it well. Below are a few things to consider.
Who has access to data
Data vulnerability involved with employee turnover can be easily overlooked. Osterman Research reports 87 percent of employees who leave a job take data with them. Not only can ex-employees take data with them, but turnover often creates a knowledge gap. The data the employee had access to often goes unnoticed and unmonitored.
The Osterman research further shows 28 percent of organizations do not wipe corporate data from employee-owned devices when they leave. Companies must take preventative measures and know what data employees have access to and revoke it when they depart. Employees will leave, but they should not take data with them.
Get rid of any data you don’t need
Data minimization is a key way brands can work to prevent a breach. If data does not exist, it cannot be stolen. Too often there are breaches in which unnecessary data is stolen. If a job can be done without data, then it is not necessary and should be purged. For any data deemed vital, it should be encrypted when possible to keep it safe.
For example, the recent Marriott breach exposed 5 million unencrypted passport numbers. While these passport numbers might have been deemed important to keep by Marriott, they could have potentially saved a lot of money and trouble, while preserving their brand reputation, by encrypting such sensitive yet important information.
Don’t hold onto data too long
Not all data needs to be kept forever and shorter shelf life for data can help lessen the severity of a breach. There is no black and white set of standards for how long to keep data, but companies should regularly review their policies. Think about the use of data in the future. Will it still be necessary moving forward? How often will it be used? Asking these questions can help determine whether data needs to be kept or at least anonymized.
Legislation to help prevent data breaches is continuing to be introduced around the world, but this does not mean brands can relax. Sadly, breaches are going to continue, as we see in the news every day. Companies can protect their brand reputation and email deliverability by closely monitoring data they store and who has access to it. Obviously, the goal is to protect the customers and the company by having healthy data practices. And if there is a breach, you need to be prepared to respond.
About the Author: Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matthew is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.