There’s been a lot of ink spilled recently regarding data breaches among the email service provider community. Some comments I’ve found to be well-reasoned and constructive while others to be alarmist (even borderline irresponsible) or drilldowns on side issues that don’t really matter much at this point. But what concerns me most are the voices that minimize what’s happening.
My objective with this post is to elevate this issue to a business level discussion, particularly as it relates to where the email industry is headed. This will be a two-part post. The first will be about how I see things in an industry context, and the second on our path forward. I’ll try not to dwell on the obvious but sometimes the obvious needs to be re-stated.
So let me start by encouraging us not lose sight of the essential facts here. There’s been a breach. In fact, there have been multiple breaches — some widely publicized and others kept under wraps. The first essential fact is that our ecosystem is under attack, and that attack is aimed at all of us — enterprise and service provider alike and everyone else in this industry that provides technology, product or services that might touch how customer data is captured, stored, transmitted or utilized.
The second essential fact is that we’ve got to harden our defenses to prevent breaches and improve our detection capabilities to spot them early when they occur. This means we have to map out our business processes, individually and as they might relate to app partners and other providers, to identify our points of vulnerability and take steps to minimize them. And this will take collaboration between all stakeholders and we need a forum for doing so at both a business and technical level. The third essential fact is that we’ve got no choice but to act.
Though we can debate the specifics, I’m fairly certain we can all agree on these essential facts. Let me elaborate on what I mean by the third ‘no choice’ essential fact. Individually and as an industry, we don’t want to be perceived as minimizing this issue. (I know this wasn’t the intent of some comments, but want to emphasize this point.) Not only are the press and regulators watching our response, but so are our customers. I don’t mean literally but in terms of how these breaches affect our customers’ willingness to share their data with us in the future.
We need to demonstrate ourselves to be better custodians of their personal data — applying whatever standards of ‘personally identifiable information’ our customers use, not what the law says. Yes, I agree that customer memories are short and their actions often governed by self-gratification (hottest offer or discount), but it would be a mistake to minimize the cumulative effect of these breaches on customer trust, particularly when sensationalized by the press or politicians with their own agendas.
Are we on the cusp of a customer trust meltdown? I don’t know. But we are dealing with ‘trust’ at a different level than I’ve seen before. Up to now, our trust conversations have centered on whether we can be trusted to use customer data as they’d like it be used. We’ve talked about trust relative to spam, data sharing and the like. These breaches take trust to a much more basic level — can we be trusted to keep our customer data safe and out of the hands of criminals who might do them harm. This is all about data security — something us marketers avoid thinking about, but now must because it has direct brand ramifications.
But think about the issue this way too: it is not going away. Look at where online communication is headed — individualized, real time, cross-channel, interactive conversations. Guess what, this is all data driven. And with technology both enabling this new form of communication and moving more data around faster, the security risks go up exponentially. But my real point is that if we don’t demonstrate ourselves to be good data custodians, customers won’t entrust us with their data so we can participate in this new form of conversational, cross-channel communication in the first place. And where does that leave us relative to the future of digital communication and commerce?
Yes, I know there’s a big societal debate about whether anything can be personal or private in our wired world. But that could take a long time to play out and doesn’t change what we need to do now. Our need to take action is much more immediate. And, yes, I know that this issue has introduced tension into the relationship between enterprises and their services providers. No one wants to disclose too much out of concern for the reaction of the other — or dare I say, the potential liability of one party to another or to the customer. Or maybe it’s to avert scrutiny by regulators.
But I’d suggest we MUST move past these concerns. There’s a mutual dependency here (and, therefore, commonality of interests) that should motivate us to collaborate in finding solutions. Enterprises need the added value and efficiencies that service (cloud) providers can offer. Both need the technology solutions and creative apps that we and others can bring to the table. (Again, it’s the ecosystem.) And all of us have a common interest in preserving the trust of customers.
To me, this issue isn’t about the loss of an email address or many and whether it’s PII or not. It really is about a very fundamental question: Are we trusted custodians of our customer data? And the term ‘customer’ takes on multiple meanings in this context because we’re customers of each other. All of us must be able to answer that question in the affirmative. All of us have too much riding on the outcome not to. We have no choice. So let’s find the right forum for taking action and get on with it.