Hell – The Right Approach to a Data Breach

There are any number of approaches to data breaches in business today.  Whilst regulation is ever trying to get to the point where notification of breach is mandatory there are still plenty of businesses out there who will go to all sorts of lengths to sweep things under the carpet rather than own up.

Not so Hell – a truly rocking pizza company in New Zealand.  Certainly no stranger to controversy – some of their marketing campaigns have been widely criticised, Hell seems to be taking the bull-by-the-horns and going all out to keep people happy.

Today I received an email from them…

Dear Valued Hell Customer,

We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation.  The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.

Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint.  Hell
recognises the importance of protecting customer information and additional
security measures were implemented earlier this year when our new website
was rolled out (again, we reiterate that this is not an issue affecting the
new website). As a further security measure your may wish to consider
changing your passwords on other sites if they were the same as the old
Hell Pizza website.

We apologise for the incident and any inconvenience that this may have
caused.

Sincerely,
Stu McMullin – Director Hell Pizza

We acknowledge that some of you have asked to be removed from the database
and we have only included you for the purposes of this notification.

No mucking about, no bull just a straight forward there might be a problem, we know, the police know so go do this just to be safe.

This IS the right approach to notification in my opinion.

I’m not totally up to date on NZ privacy law (a couple of years out of date), so it could well be that by now notification is mandatory.  Even if it is, props to Hell for getting it out there.

FYI: Hell pizza really is very very good.  Think PIzza Express with attitude.  Even better you can get them in the Hell Pizza UK – well London with branches in Fulham, Shepherds Bush and Clapham.

Trust in Imagery – Have BP Been Caught Out Faking Things Again?

Pretty well EVERYONE by now has seen the poorly faked up Reponse HQ photo from BP.  It’s even done mainstream news and there’s been an apology from BP.  Seemed dumb, especially as all they were actually doing was filing in two or three blank screens.

Well, today another photo has emerged that also looks decidedly odd (the original is here).

All looks fairly innocuous but there are a few bits out of place.

1. The control tower top left?  It would be over 200 feet tall to be up there surely?

2. The footwell light bottom right is a totally different colour to the surrounding sea.

3. A close look at the status screens shows doors and ramps as being open – at this height, really? (unfortunately I don’t know enough about the instruments to delve further).

4. That’s a very odd blur below ship in left hand windscreen – not at all like a smear on the screen.

BUT the best thing is the guy on the left has his fingers crossed.  Was it trepidation at the pending take-off (come on we all know this was pre-flight) or is he a BP exec just hoping people won’t notice?

Now of course there may well be plenty of image experts out there who will be able to prove this is an original and un-doctored image, BP may even come out fighting but honestly given their recent muppetry just how much do you trust the image above?

My Response to “Putting a Price on Data” by Ian Hitt

Here is my rapidly put together (and therefore apologies for it not necessarily being totally thought through) response to Ian Hitt’s post over on Reputation Online about “Putting a Price on Data.”

Many marketing professionals think that client data is something they own, have a right to or an ability to sell. Most data professionals will know they’re wrong.  Good data is indeed a corporate “asset” and if utilised appropriately have a high monetary value but…

The thing about client data is that most people in the marketing profession just don’t really understand “data” – sure they can get all righteous about lifeblood, insight and segmentation but actually data itself is not that simple; data is not a database.

Let’s break it “client data” down and see if we can’t get some clarity.

“Client” who’s client?

cli·ent  n.

1. The party for which professional services are rendered, as by an attorney.

2. A customer or patron: clients of the hotel.

3. A person using the services of a social services agency.

4. One that depends on the protection of another.

So from a marketing database perspective there are two clients; the first being the paying customer of the agency (ala point 1) and arguably the data subject, the end user about which data is collected (ala point 4).

It doesn’t take a rocket scientist (or a data professional) to work out that actually when marketing companies talk about a “client database” what they are actually referring to is the later; a database of stuff about any number of individual people, often collected overtime under various pretences and situations.

In this context the client (albeit often unwittingly) is an individual for whom they rely upon the protection of data about them by the database “owner” – or data controller.

“Data” who’s data?

da·ta  pl.n. (used with a sing. or pl. verb)

1. Factual information, especially information organised for analysis or used to reason or make decisions.

2. Computer Science Numerical or other information represented in a form suitable for processing by computer.

3. Values derived from scientific experiments.

4. Plural of datum.

The key part here is point 1; data is factual information organised for analysis or decision making and is surely the cornerstone of marketing?

And so to my thoughts on Ian’s post.

A business does not “optimise the value of its database” it seeks to gain value from the quality of the analysis of the data held within that database.

Looking at a couple of Ian’s individual points;

“Volume is important but data quality is paramount. Every record has a value and the whole list needs to be viewed as part of the corporate asset.”

Quality of data is indeed paramount but the very traditional process of acquiring, storing and analysing personal data undertaken by the marketing industry is counter-productive to achieving high levels of data quality.   Why?  As an example think of some of the simplest personal data held by marketing databases; contact information.  My email address, telephone number, even my physical address are not concrete – they change in time.  It doesn’t matter how rigid one’s checking for a valid postcode or email address may be when gathering personal data is, if the data you are gathering naturally decays then you’ve failed.

Several marketing insight groups are starting to see the light here.  Why pay to acquire and store stuff that is by its very nature junk.  Far better to ask for the information as and when needed, never to store it (for anything more than easing end-user experience) and to just accept that 100% cleansed data is a myth – it can’t be done.

As for being a “corporate asset” well not really.  Firstly as with the example above, it is patently a liability to pay cold hard cash to gather, store, analyse upon and market to data that is incorrect.  Secondly a corporate doesn’t “own” the data per se.  I won’t get in to the philosophical arguments over whether data is in fact even “ownable” here but the asset lies not in the data but rather the relationship with the data subject and their willingness to maintain that relationship.

“Customer relevance is key, and marketers need to understand consumers in order to appropriately segment them and track their behaviour over time, so that they receive market information which is relevant to them.”

There is, in my opinion, value in trying to understand consumers over time – especially where the level of financial risk (normally through long product lead-times) is high.  However this is becoming harder and harder to do.  Aside from regulatory restriction the simple fact is that consumers are spreading their attention more thinly across an ever increasing number of online and offline properties.  To capture a picture of that consumer through any single database is likely to become less and less accurate.

Loyalty schemes are a good example of this failing.  Not your local coffee shop and their paper based card but the big ones, the Nectar cards of the industry.  To the consumer they offer a perception of value exchange based on their loyalty to certain brands, in reality they are price discriminators trying to force consumer choice into any single outlet within a vertical market – that’s why you only ever get a single supermarket, garage chain or clothing outlet per scheme.

But the reality of life is that average consumers don’t just use a single supermarket.  Take me for example.  I use our local Co-Op on a day to day basis, but they don’t sell a particular brand of cereal that #1 son likes, so we do a weekly shop in Waitrose or Sainsbury.  Of course if we are over the river in Thurrock we might pop in to the Tesco superstore or if at Bluewater we might hit up the local ASDA.  We are kind of loyal to Co-Op but situation matters.

So our share-of-wallet spending in Sainsbury (on the Nectar scheme) is not actually representative of our food spend.

And the same goes for any insight gathering activity.

The “simple” answer actually lies in flipping the model to where the consumer requests stuff from the marketing agency.  It’s a wonderful utopian idea, but one which I’m sufficiently pragmatic to accept is unlikely – at least anytime soon.

For me the mid-term solution lays in a third party providing aggregation for consumer behaviour at the bequest and under the control of the data subject, the consumer themselves.

This intermediary, a broker, would offer a service where the consumer can easily record, augment and share their data with businesses they want to.

This doesn’t mean the end of marketing insight – but it would spell the end of marketing databases.  The playing field would be levelled with marketing agencies competing on their ability to analyse the data to which they are given privileged access rather than who can build the biggest database.

“Emails and resulting data should be collected as a matter of course. There are numerous opportunities to collect emails from customers and it’s surprising how many companies don’t prioritise this activity. Emails should always be as personal as possible. It doesn’t take much effort to have one-to-one communications with thousands, or even millions of customers.”

The enlightened have long since realised that email based marketing really isn’t the way forward.  Sure if you send out a million emails for £1 and get a handful of responses it seems like great R.O.I – but honestly I don’t want to get into this, you all know there are better, smarter, more elegant solutions out there.

“Ensure compliancy.  It sounds obvious but ensuring your email collection policy is compliant with data law is even more important when you remember that the ICO has the power to fine you up to £500,000.”

For anyone that knows me, or even hears me speak on this issue, I apologise you already know what’s coming.

Why is it that whilst many CEOs “think that client data arrives on its own, costs nothing to source and has little or no value” that many Marketing Professional’s think that data compliance is;

• only worthy of a fourth place mention in a list of deriving value from data,
• a purely legal issue,
• and in the event of failure only going to cost £500,000?

Compliancy is at a minimum two part.  Sure remaining within the legal framework set out by the ICO matters – A LOT.  But don’t forget that actually any business holding personal data in the EU is also beholden to the higher and more punitive powers of the EU.

The second part to compliancy is the real sting though, and the one which is often (as here) forgotten.  Breaching data protection legislation may result in fines or restriction BUT it will most assuredly have a greater effect on a business’ reputation.

Consumer trust in businesses holding personal data is already under great scrutiny, breaching that trust could very well cost an awful lot more than £500,000.  Just ask Phorm.

Spotify’s New “Social” Release Fails Basic Privacy Test

How excited was I to see the announcements for the latest release of Spotify this morning?  It allows for connecting to friends – albeit only via Facebook, integration of your existing music catalogue and a few other bits of awesomeness.

BUT (and I really shouldn’t have been that surprised given the Facebook tie in) that the default settings for the installation are to share anything and everything from installation.

So anytime you create a new playlist it gets shared.  Unless of course you go and manually disable automatic updates.

Given all the flak Google got over Buzz and it’s presumptions on automatically opting people in, given all the grief Facebook gets for it’s over sharing it is such a shame to see Spotify falling into such a simple trap.

Oh and don’t even get me started on seeing adverts re-appear on my desktop version – I am a paid up member of the premium subscribers gang which was supposed to be non-advertising!

UPDATE: It gets worse.  After a few minutes use adverts are popups, and also taking over other areas in the UI.  On a netbook this is unacceptable as pace given over to my music is already squeezed and now it’s even worse.  Also audio adverts have re-emerged.  Not happy at all

Are We Ever Really Without Identity?

Last week I attended a Mashup Event in London on The Value of Your Digital Identity.  There is plenty of write up available online with this piece from Jude Umeh from the BCS being amongst the most rich.

In Jude’s post he restates a question raised during the panel session by Ben Hoyle, a European Patent Attorney;

“What about those lacking an identity? There are many still without bank accounts or fixed addresses”

It’s an interesting question simply because it highlights what I believe to be a common misunderstanding of identity; that identity is something we have, create or obtain.

I don’t want to get into the philosophy behind identity or indeed into the technicalities – those are well discussed by people far more knowledgeable than myself but a simple viewpoint here may be helpful to most.

Identity is generally accepted to be “an aggregate of all those views, opinions, thoughts etc about the self from third parties.”

Confused?  Okay think of this;  One’s name is not one’s identity.  I have many names none of which I have given myself.  My parent’s called me Barnaby, my friends Barney, my kids Dad and any number of other less repeatable names by various people over the years.  The point here is these are identifiers for me.  More importantly they are identifiers for me in particular situations or contexts from other people’s perspectives.

In marketing speak these are persona, they are the various roles I play in life.

My identity is all of these mashed up together.  It’s just that a third party may only ever see me in one role, or persona and so to them that is my apparent identity.

Just to make this a tad more confusing, strictly these identifiers (names) are for the relationship (role) that I play with others.  Whenever I interact with someone (or indeed something else – say a business) a relationship is created and intrinsically so is an identifier.  For example when I first shop with a business I play the role of customer to which I am assigned a customer number as an identifier – the weird thing is I as the customer may never even be aware of that identifier as it may be nothing more than “he was the one hundred and thirtieth customer in store number 6 on that date.”

Okay so identity is everything you do, created about you by others for the purposes of defining a relationship of some sort.

So back to the question of “What about those lacking an identity? There are many still without bank accounts or fixed addresses”

Given the above view on identity I would posture that there are a very very very small number of individuals in the modernised world who have NO identity.  Strictly speaking everyone the second they are born (not going to argue the whole conceived thing here) has identity as they have a direct relationship not only with their mother but also with whomsoever played midwife / OBGYN.

We get given a name, our birth is registered, we enrol in school, start work and get a National Insurance Number in the UK (think SSN in US).  Every time we interact with another person, agency or business yet another identifier is created.

So in a modern society we are never really without identity.  With regards to the question posed by Ben the problem isn’t a lack of identity but more a distinct absence of transferable identity.

Curiously this is a problem well understood by large web properties and in particular social networks.  I may have an account on say Facebook with a huge wealth of Barney invested but when I want a new Twitter account I  am in effect an “identity less” new user with little baggage or ability to transfer my self from one service to another.

The web space has been pondering this for years.  OpenID was and is (post it’s blog spam prevention conception) touted as a solution for porting and identifying one’s self from site to site.  Today OAuth, Google FriendConnect  and FBConnect offer a glimpse of what identity portability may provide in the future.

Back on topic though.  If I wanted a bank account I would be asked for identification to which I could produce any number of pieces of information; from drivers license to passport to a fingerprint of my social graph – a map of all my personal relationships. The fact is any identity identifying details could and should suffice (bank regulation accepting).

So because a person doesn’t have a bank account or a fixed permanent address does not render someone identity less at all.  It’s just that current structures for identifying an individual are tied to far too strict a set of minimal options.

As a byword; in New Zealand the driver’s license is ONLY acceptable in law as proof of entitlement to drive on public roads.  It is NOT a piece of identification that can be legally relied upon for any other purpose.  Yet I have clear recollection of opening a new bank account with KiwiBank – a state owned and run bank, where it was THE ONLY form of identification they would accept.

The is one situation though where people do appear to be identity less – the refugee, and more particularly the stateless individual.  In a series of conversations and arguments with Vinay Gupta during early 2009 he was able to convince me of situations in his experience in Africa where people without papers or any physical form of identification were held in refugee camps after crossing borders.  To the hosting country they were in effect identity less.  No one was willing to even go so far as to assign a case number or start asylum  proceedings.  They were no one in the eyes of others.