Most marketers likely cringed following the news of the massive Marriott data breach, in which a third party accessed hundreds of millions of customers’ information. In order to comply with FTC regulations, Marriott had to inform its entire email list of the incident. This obviously leads to a loss of customers and brand trust. It also can result in high marketing costs as a company attempts to rebuild its brand and customer database. A study from the Ponemon Institute reports the average cost of a breach globally is $3.86 million per breach.
The impact of a breach on the marketing department is more than financial. It also affects email deliverability. Email experts know sending out a message en masse to an entire database, without first filtering out unresponsive and inactive email addresses, hurts the sender’s reputation. Why? Inaction over time indicates the recipient doesn’t want emails from the sender. Mailbox providers recognize that behavior from recipients, and notice when unengaged addresses continue to get mail from unwelcome senders. When a company works with a large ESP and suffers a data breach, it can work to prevent reputation damage by proactively sending emails to certain lists and mailbox providers to warn them of emails they are about to receive, which serves as an explanation for the sudden re-emergence of their brands in unengaged recipients’ inboxes. Regardless of any pre-work done to mitigate damage, a brand’s email reputation will be impacted for some time, thanks to an inevitable spike in undeliverable emails and users reporting messages as spam.
Data breaches also bring about legal ramifications, often surfacing during the notification process, when you consider communications to former or opted-out subscribers. Laws like CASL and CAN-SPAM allow users to send notification-type emails in this scenario, but it is important to carefully consider the content requirements to avoid any potential violations. It is best to stick to the facts and avoid anything that might be viewed as promotional, as a promotional message during this time would violate the letter of the law.
Here are three things to consider to help fight a data breach’s impact on a brand’s email deliverability.
Age of the Data
The severity of a breach could often be lessened if brands got rid of data sooner. While there is no black and white set of standards for all data storage, it is important to regularly review all saved data. Consider a few questions while you review your data:
- Is it still needed?
- How often is it used?
- How much will it be used, going forward?
Through review, you can determine if the data should be deleted or anonymized. For instance, a recent data breach leaked the HIV status of more than 14,000 people, with more than half the records identifying diagnoses made prior to December 2011 and the remaining records from before January 2013. Had files been anonymized or deleted within a reasonable timeframe, this breach would either not have occurred or at the least, not been as impactful.
Amount of the Data
There is a simple principle to trust when it comes to preventing data breaches: If the data does not exist, it cannot be stolen. Data minimization is a great way to avoid a breach. Ask yourself if the job can be completed without any of the data you currently hold. If it can, then that data is unnecessary. For truly necessary data, encrypt it when possible, as this provides another layer of security. While certainly an investment, the short-term costs of encryption are worth the long-term protection, as Marriott likely learned. More than 5 million guests had their passport numbers stolen, prompting Marriott to cover replacement costs, costing the hotel about $110 per passport. If Marriott had encrypted those numbers, or simply not stored them beyond their required use, it could have saved millions of dollars and kept its brand reputation intact.
Access to the Data
One of the most difficult things to plan for is employee turnover. When an employee leaves, it inevitably results in a knowledge gap. If this is not addressed, data can go unnoticed for a period of time, opening the door for a hacker to take advantage. Osterman Research found in a recent survey that nearly 70 percent of companies suffered data loss due to employee turnover. According to the research, this is caused by various reasons. The former employee often accessed unmonitored data, the employee’s data set is not deleted upon departure or company data is not wiped from ex-employee-owned devices. It is important to take preventative measures before an employee leaves, which means knowing and revoking access to sensitive data.
Unfortunately, it seems data breaches will continue to occur. There is hope breaches will become less frequent, because legislation like GDPR went into effect and the California Consumer Privacy Act will do so in 2020, but it is still best to be prepared. Companies need to pay close attention to what data they store, how securely it is stored, how long it is stored for and who has access to it. Protect your customers and your company’s reputation through consistent monitoring of your data practices. If a breach does happen, you run the real risk of damage to your email reputation. Be prepared for all scenarios by simply having proactive forethought.
Related story: 4 Post-GDPR Email List Growth Steps