expōnere

Hell – The Right Approach to a Data Breach

There are any number of approaches to data breaches in business today.  Whilst regulation is ever trying to get to the point where notification of breach is mandatory there are still plenty of businesses out there who will go to all sorts of lengths to sweep things under the carpet rather than own up.

Not so Hell – a truly rocking pizza company in New Zealand.  Certainly no stranger to controversy – some of their marketing campaigns have been widely criticised, Hell seems to be taking the bull-by-the-horns and going all out to keep people happy.

Today I received an email from them…

Dear Valued Hell Customer,

We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation.  The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.

Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint.  Hell
recognises the importance of protecting customer information and additional
security measures were implemented earlier this year when our new website
was rolled out (again, we reiterate that this is not an issue affecting the
new website). As a further security measure your may wish to consider
changing your passwords on other sites if they were the same as the old
Hell Pizza website.

We apologise for the incident and any inconvenience that this may have
caused.

Sincerely,
Stu McMullin – Director Hell Pizza

We acknowledge that some of you have asked to be removed from the database
and we have only included you for the purposes of this notification.

No mucking about, no bull just a straight forward there might be a problem, we know, the police know so go do this just to be safe.

This IS the right approach to notification in my opinion.

I’m not totally up to date on NZ privacy law (a couple of years out of date), so it could well be that by now notification is mandatory.  Even if it is, props to Hell for getting it out there.

FYI: Hell pizza really is very very good.  Think PIzza Express with attitude.  Even better you can get them in the Hell Pizza UK – well London with branches in Fulham, Shepherds Bush and Clapham.

Trust in Imagery – Have BP Been Caught Out Faking Things Again?

Pretty well EVERYONE by now has seen the poorly faked up Reponse HQ photo from BP.  It’s even done mainstream news and there’s been an apology from BP.  Seemed dumb, especially as all they were actually doing was filing in two or three blank screens.

Well, today another photo has emerged that also looks decidedly odd (the original is here).

All looks fairly innocuous but there are a few bits out of place.

1. The control tower top left?  It would be over 200 feet tall to be up there surely?

2. The footwell light bottom right is a totally different colour to the surrounding sea.

3. A close look at the status screens shows doors and ramps as being open – at this height, really? (unfortunately I don’t know enough about the instruments to delve further).

4. That’s a very odd blur below ship in left hand windscreen – not at all like a smear on the screen.

BUT the best thing is the guy on the left has his fingers crossed.  Was it trepidation at the pending take-off (come on we all know this was pre-flight) or is he a BP exec just hoping people won’t notice?

Now of course there may well be plenty of image experts out there who will be able to prove this is an original and un-doctored image, BP may even come out fighting but honestly given their recent muppetry just how much do you trust the image above?

My Response to “Putting a Price on Data” by Ian Hitt

Here is my rapidly put together (and therefore apologies for it not necessarily being totally thought through) response to Ian Hitt’s post over on Reputation Online about “Putting a Price on Data.”

Many marketing professionals think that client data is something they own, have a right to or an ability to sell. Most data professionals will know they’re wrong.  Good data is indeed a corporate “asset” and if utilised appropriately have a high monetary value but…

The thing about client data is that most people in the marketing profession just don’t really understand “data” – sure they can get all righteous about lifeblood, insight and segmentation but actually data itself is not that simple; data is not a database.

Let’s break it “client data” down and see if we can’t get some clarity.

“Client” who’s client?

cli·ent  n.

1. The party for which professional services are rendered, as by an attorney.

2. A customer or patron: clients of the hotel.

3. A person using the services of a social services agency.

4. One that depends on the protection of another.

So from a marketing database perspective there are two clients; the first being the paying customer of the agency (ala point 1) and arguably the data subject, the end user about which data is collected (ala point 4).

It doesn’t take a rocket scientist (or a data professional) to work out that actually when marketing companies talk about a “client database” what they are actually referring to is the later; a database of stuff about any number of individual people, often collected overtime under various pretences and situations.

In this context the client (albeit often unwittingly) is an individual for whom they rely upon the protection of data about them by the database “owner” – or data controller.

“Data” who’s data?

da·ta  pl.n. (used with a sing. or pl. verb)

1. Factual information, especially information organised for analysis or used to reason or make decisions.

2. Computer Science Numerical or other information represented in a form suitable for processing by computer.

3. Values derived from scientific experiments.

4. Plural of datum.

The key part here is point 1; data is factual information organised for analysis or decision making and is surely the cornerstone of marketing?

And so to my thoughts on Ian’s post.

A business does not “optimise the value of its database” it seeks to gain value from the quality of the analysis of the data held within that database.

Looking at a couple of Ian’s individual points;

“Volume is important but data quality is paramount. Every record has a value and the whole list needs to be viewed as part of the corporate asset.”

Quality of data is indeed paramount but the very traditional process of acquiring, storing and analysing personal data undertaken by the marketing industry is counter-productive to achieving high levels of data quality.   Why?  As an example think of some of the simplest personal data held by marketing databases; contact information.  My email address, telephone number, even my physical address are not concrete – they change in time.  It doesn’t matter how rigid one’s checking for a valid postcode or email address may be when gathering personal data is, if the data you are gathering naturally decays then you’ve failed.

Several marketing insight groups are starting to see the light here.  Why pay to acquire and store stuff that is by its very nature junk.  Far better to ask for the information as and when needed, never to store it (for anything more than easing end-user experience) and to just accept that 100% cleansed data is a myth – it can’t be done.

As for being a “corporate asset” well not really.  Firstly as with the example above, it is patently a liability to pay cold hard cash to gather, store, analyse upon and market to data that is incorrect.  Secondly a corporate doesn’t “own” the data per se.  I won’t get in to the philosophical arguments over whether data is in fact even “ownable” here but the asset lies not in the data but rather the relationship with the data subject and their willingness to maintain that relationship.

“Customer relevance is key, and marketers need to understand consumers in order to appropriately segment them and track their behaviour over time, so that they receive market information which is relevant to them.”

There is, in my opinion, value in trying to understand consumers over time – especially where the level of financial risk (normally through long product lead-times) is high.  However this is becoming harder and harder to do.  Aside from regulatory restriction the simple fact is that consumers are spreading their attention more thinly across an ever increasing number of online and offline properties.  To capture a picture of that consumer through any single database is likely to become less and less accurate.

Loyalty schemes are a good example of this failing.  Not your local coffee shop and their paper based card but the big ones, the Nectar cards of the industry.  To the consumer they offer a perception of value exchange based on their loyalty to certain brands, in reality they are price discriminators trying to force consumer choice into any single outlet within a vertical market – that’s why you only ever get a single supermarket, garage chain or clothing outlet per scheme.

But the reality of life is that average consumers don’t just use a single supermarket.  Take me for example.  I use our local Co-Op on a day to day basis, but they don’t sell a particular brand of cereal that #1 son likes, so we do a weekly shop in Waitrose or Sainsbury.  Of course if we are over the river in Thurrock we might pop in to the Tesco superstore or if at Bluewater we might hit up the local ASDA.  We are kind of loyal to Co-Op but situation matters.

So our share-of-wallet spending in Sainsbury (on the Nectar scheme) is not actually representative of our food spend.

And the same goes for any insight gathering activity.

The “simple” answer actually lies in flipping the model to where the consumer requests stuff from the marketing agency.  It’s a wonderful utopian idea, but one which I’m sufficiently pragmatic to accept is unlikely – at least anytime soon.

For me the mid-term solution lays in a third party providing aggregation for consumer behaviour at the bequest and under the control of the data subject, the consumer themselves.

This intermediary, a broker, would offer a service where the consumer can easily record, augment and share their data with businesses they want to.

This doesn’t mean the end of marketing insight – but it would spell the end of marketing databases.  The playing field would be levelled with marketing agencies competing on their ability to analyse the data to which they are given privileged access rather than who can build the biggest database.

“Emails and resulting data should be collected as a matter of course. There are numerous opportunities to collect emails from customers and it’s surprising how many companies don’t prioritise this activity. Emails should always be as personal as possible. It doesn’t take much effort to have one-to-one communications with thousands, or even millions of customers.”

The enlightened have long since realised that email based marketing really isn’t the way forward.  Sure if you send out a million emails for £1 and get a handful of responses it seems like great R.O.I – but honestly I don’t want to get into this, you all know there are better, smarter, more elegant solutions out there.

“Ensure compliancy.  It sounds obvious but ensuring your email collection policy is compliant with data law is even more important when you remember that the ICO has the power to fine you up to £500,000.”

For anyone that knows me, or even hears me speak on this issue, I apologise you already know what’s coming.

Why is it that whilst many CEOs “think that client data arrives on its own, costs nothing to source and has little or no value” that many Marketing Professional’s think that data compliance is;

• only worthy of a fourth place mention in a list of deriving value from data,
• a purely legal issue,
• and in the event of failure only going to cost £500,000?

Compliancy is at a minimum two part.  Sure remaining within the legal framework set out by the ICO matters – A LOT.  But don’t forget that actually any business holding personal data in the EU is also beholden to the higher and more punitive powers of the EU.

The second part to compliancy is the real sting though, and the one which is often (as here) forgotten.  Breaching data protection legislation may result in fines or restriction BUT it will most assuredly have a greater effect on a business’ reputation.

Consumer trust in businesses holding personal data is already under great scrutiny, breaching that trust could very well cost an awful lot more than £500,000.  Just ask Phorm.

Setting Out for a Win- The #TwitClan Way

UPDATE 18:56 June 14th – I have removed the screen capture from Prestige Gamerz website on request by their administrator.  I have, of course, kept screen captures of source entries for all quoted text and PGz entries.

For those that follow me on Twitter I hereby formally apologise for bombarding your stream with assorted #mkop-twitclan messages all last week.  But I have a story to tell which hopefully may cut me some slack.

It’s June 4th and I received heads up that Microsoft was running a competition via their MyKindofPhone website that held a lot of promise.  Basically they were offering up a prize that any gamer would love;

If you can build the biggest and best gamer clan on Twitter, you and 15 friends could win a big screen gaming experience in London. You’ll get a private cinema with games consoles and the game of your choice ready to play, food, drinks, and we’ll screen one of the best gamer films of all time.

Essentially the competition was to utilise the power of word of mouth marketing by having the entrants get their contacts to tell other people about what Microsoft were doing.  Simple and potentially cost effective marketing.

For those that haven’t previously noticed I’ve been playing Xbox 360 games with a bunch of fellow Twitterers .    Founded earlier in the year by Kip Hakes partly as we had things in common workwise, partly because it gave us a great way to augment our 140 character existence with real voices and build up a set of more meaningful friendships.   For those who were around you may remember us as  #TwitMW2Frenzy,  but honestly that’s just too long for a hashtag.  Nowadays we are to be found under #twitclan or on Xbox Live as [twit].

I dutifully entered the #TwitClan, knocked out a couple of  starter tweets and sat back.

And that was my mistake.  I presumed that with 6 other people also helping and over 800 people following me that the re-tweets would flow and it would be job done.  Not so. At all.

Sure we took an early lead but then another clan entered the race, one with purpose.  The PGz clan were coming directly from a gaming website.  I have no idea how many members they have but it became apparent a couple of days before the competition closed on Friday 11th that it was more than our lowly 6 or 7 as they had come from nowhere to steal the lead.  Fair play to them, they posted calls to arms on their forums and their members responded.

PGz has just entered a competition where 15 of us could win the chance to spend the day gaming in our own private cinema on the big screen!

Prize – If you can build the biggest and best gamer clan on Twitter, you and 15 friends could win a big screen gaming experience in London. You’ll get a private cinema with games consoles and the game of your choice ready to play, food, drinks, and we’ll screen one of the best gamer films of all time.

All we have to do is Tweet the following on Twitter -

#mkop-PGz FTW! PGz demand to win the gaming experience of a lifetime! http://bit.ly/playcomp

Just copy and paste it and Tweet it!

If we win and I believe we have a very good chance, then the lucky 15 PGz members who wish to go will have their names drawn out of a hat in a ‘live’ draw by our very own Axikal!

@gosu71 (http://prestigegamerz.com/forum.html?func=view&catid=1&id=92817)

Unfortunately in the process of jumping ahead a few of their number had talked about “spamming the hell out of this” and also offered up competition prizes of their own in return for help winning which were both at best unsportsmanlike but bordered on breaking the competition rules.   We had a wee moan amongst ourselves but decided to get serious about the whole thing.

In a very brief discussion it was clear that we actually had easy access to a very substantial user base by way of one of our member’s own website.  David Carrington is the owner and developer behind Dabr, a very popular web-based Twitter client used by tens of thousands of people from their mobile phones around the world.

David being a very sensible kind of chap made a call to stick a message on the Dabr website asking for help from his users.  More importantly he showed immense commonsense by;

• doing it in such a way as to only display the message in off-peak times so as not to bombard Twitter with thousands of promotional messages (which may have broken the ToS for Twitter and thus the rules of teh competition),
• making the link ONLY repopulate a re-tweet dialog so that users were fully aware and in control – no auto-bots or privacy issues here thanks, and
• having the whole thing stop asking prior to the competition end so that the overspill was better contained.

All in all a very shrewd set of measures to ensure not only the integrity of Dabr but also so as not to overstep the mark when it came to the rules of the competition.  I will stick my own hand up here to claim ownership of getting both David and another #twitclan member, Matt Jones, to take a number of screenshots of webpage’s and source code at this point knowing full well such a move was going to get us noticed.

Within hours of going live it was pretty obvious that it was likely to be a winning move as the sheer volume of support re-tweets was incredible.  Sure there was the occasional duplicate but when they were coming through on the last night at a couple a minute the number of unique messages was also bound to be high.

We rocketed from 71 odd tweets on the Thursday lunchtime to hundreds by the following morning.  This of course resulted in an outpouring of general name calling from our only real competitor at the time (#PGz).  I don’t think I’ve ever been called out for cheating so many times in my life.  Their annoyance was understandable, they were set for a fail.

The thing is/was that our call for help via Dabr was actually little more than #PGz’s intial call on their own forums, it was just that we chose a site with a bigger audience.  Given the intention of the competition was to drive attention to Microsoft and that it clearly wanted to see as much chatter on Twitter as possible accusations of cheating as only tweets from Clan members should be counted clearly didn’t hold water  (of course there is also the argument that why on Earth would anyone from a small Clan enter if only member tweets would be counted – it would be fait accompli for any large group).

At 12pm on Friday 11th June Dabr breathed it’s last cry for help and we sat back (again), only this time having monitored the opposition and feeling more than a little confident.

The competition closed at 2pm and for over two and a half hours everyone waited for the count.  #TwitClan polled 746 unique user re-tweets (from 71 the day before) based on over 1,400 total in our support.  We were declared the winners.

I won’t cover all the subsequent silliness from various people, it doesn’t help.  The rules were really simple, we stuck to them, pulled some very basic marketing and won through.

What we would have / could have done differently:

1) David is the first to admit he didn’t pay much attention to the close date for a few days, otherwise he’d have set Dabr running from day 1 resulting in an overwhelming win from the outset.  This might have meant a little less name calling.

2) We could have leveraged a number of other well visited sites and Twitter clients, a few Facebook pages – you know all that good social media stuff.  Given more time to prepare I’m confident we could have knocked out well in excess of 10k unique’s over the competition week.

3) Not even tried to communicate with the opposition.  In hindsight all our efforts to placate their concerns did little more than fuel their suspicions.  Hence this post and it’s setting out of our tactics.

Next Time: The Fun Begins

Opting In or Opting Out – I Was Confused

Came across the usual “click the box if you want to receive…” signup on OnlyMarketingJobs.com today, except on second reading (you also second read these things right?) the confusion was apparent.

You’re opting IN for more junk by NOT ticking just to be clear.