Ashley Madison is a wake-up call for all marketers on data retention

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cmo.com.au/blog/data-driven-marketing/2015/12/29/ashley-madison-is-a-wake-up-call-for-all-marketers-on-data-retention/


The recent Ashley Madison hack is a wake-up call not only for consumers,
but also for marketers and companies – many of which still do not take
their customers’ privacy or data security seriously enough.

There have been other, bigger, high-profile data breaches. But somehow they
have seemed more remote and perhaps the consequences not so bad. For
example, replacing a credit card is inconvenient and annoying, but not the
end of the world.

But the hack of a website that encourages users to indulge in extramarital
affairs and which revealed the email addresses, personal details and
preferences of that site’s 36 million users, is more devastating. Stories
abound of users getting divorced and careers/jobs compromised.

As for the Canada-based company, it’s hard to see how it will regain the
trust of its customers and remain in business, especially with a tsunami of
legal action headed its way. In the meantime, acting Australian Information
Commissioner, Timothy Pilgrim, has announced a joint investigation with the
Office of the Privacy Commissioner of Canada into the breach.

Lessons to be learnt

If ever there was an alarm bell for marketers, this is it. To that end,
there are four lessons to keep in mind from the hack.

First, consumer data is a company’s most valuable asset and, as a result,
requires the appropriate level of protection and care.

Second, the Ashley Madison hack is a reminder, as a start, to only collect
and keep the customer data you need, protect it while it’s held, and then
delete it when it’s no longer needed. The law also requires that companies
tell consumers how their data will be handled, secured and stored and to
allow consumers access to it. If a breach occurs, the Privacy Commissioner
can issue fines of up to $1.8 million per data breach.

Ashley Madison had a lot of personal data it didn’t need, including names
and email addresses of people no longer using its services or who had
signed up, but not actually used the service. But the repercussions for
everyone caught in the breach, whether innocent or guilty, were huge.

Third, the level of data security you apply must be commensurate with the
data held. In other words, the level of security in place should reflect
the potential risk and damage to consumers should that information be
inappropriately accessed.

Fourth, all businesses need to think about the consequences of a data
breach and what could happen. It’s always dangerous to think you aren’t
going to be a target for hackers. Data is a valuable commodity for many.
Also keep in mind that some hackers aren’t hacking to obtain data, but as a
challenge to business – to simply prove they can hack where they like, when
they like.

To be as safe as possible, organisations should be regularly reviewing how
they store, manage and secure their data for any potential issues. That
means changing passwords regularly, providing ongoing security training to
staff, updating operating systems, firewalls, encryption and antivirus
software, and ensuring only certain staff can access data.

Many companies think protection only applies to databases. But there are
other best practice measures that should be followed. For example, physical
data should be secured. Importantly, if you allow staff to bring their own
laptops or devices to work, make sure you have robust protections in place
and encrypt personal data. You’d be surprised at how often people walk out
of the office with a laptop that doesn’t have passwords or encryption, and
it gets left behind on a bus or in a taxi.

Companies also need to have a crisis plan in place if they’re hacked. This
could include shutting down systems quickly and having processes in place
to inform consumers and the authorities about the hack. The majority of
companies don’t have a plan and that’s a concern.

Hacking is a crime and an element of business life we need to protect
ourselves against. Companies have a role to play in securing consumer data
to a high standard and consumers need to protect themselves by thinking
through what personal information they will share with companies. The
Ashley Madison hack is the quintessential example of a company and
consumers not thinking through the consequences of their data being hacked
and made public.

New data retention laws

On another matter, obligations under the new data retention laws came into
effect 13 October 2015 and we’ve had a few calls from retailers and
businesses in the lead up asking about any obligations arising from the new
laws.

The answer is the new data retention laws only apply to telecommunication
companies and Internet service providers – about 300 companies in total. In
a nutshell, these organisations will be required to retain information
about people’s telecommunications and online usage.

Retention periods fall into two categories. Some data must be stored for a
two-year period, to help law enforcement and intelligence organisations in
investigating criminal and national security threats. It must also be
encrypted and protected from unauthorised interference or access. In other
cases, information must be retained for the life of the account plus an
additional two years when the account is closed.

There is controversy as the new laws require retention of metadata, which
has been left vague and open to interpretation. There is no definition of
metadata in the legislation though there is some indication of what is and
isn’t included.

Generally, it will include subscriber or account holder names, addresses,
date of birth, financial and billing information; traffic data such as
numbers called and texted, as well as times and dates of communications; a
user’s IP address and type/location of communication equipment.

Metadata does not include content such as the content of emails, SMS, Web
browsing history or social media (at least in Australia in the latter
case).Where there is a need to access the actual content of communications
a warrant is needed. Similarly, a warrant will be required to access
journalists’ metadata in order to identify a source.

Cost is also a concern. Implementation of the new data retention scheme has
been estimated to cost between $189 million to $319 million, according to
the government-commissioned report from PricewaterhouseCoopers. Despite
this, only $131 million was allocated for the Government’s contribution in
the 2015 budget, with an additional $10.6 million dollars over four years
to support the role of various government departments and $6.7 million over
four years to fund oversight of the scheme by the Commonwealth Ombudsman.
The shortfall will have to be met by business, and ultimately, consumers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!