Hell – The Right Approach to a Data Breach

There are any number of approaches to data breaches in business today.  Whilst regulation is ever trying to get to the point where notification of breach is mandatory there are still plenty of businesses out there who will go to all sorts of lengths to sweep things under the carpet rather than own up.

Not so Hell – a truly rocking pizza company in New Zealand.  Certainly no stranger to controversy – some of their marketing campaigns have been widely criticised, Hell seems to be taking the bull-by-the-horns and going all out to keep people happy.

Today I received an email from them…

Dear Valued Hell Customer,

We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation.  The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.

Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint.  Hell
recognises the importance of protecting customer information and additional
security measures were implemented earlier this year when our new website
was rolled out (again, we reiterate that this is not an issue affecting the
new website). As a further security measure your may wish to consider
changing your passwords on other sites if they were the same as the old
Hell Pizza website.

We apologise for the incident and any inconvenience that this may have
caused.

Sincerely,
Stu McMullin – Director Hell Pizza

We acknowledge that some of you have asked to be removed from the database
and we have only included you for the purposes of this notification.

No mucking about, no bull just a straight forward there might be a problem, we know, the police know so go do this just to be safe.

This IS the right approach to notification in my opinion.

I’m not totally up to date on NZ privacy law (a couple of years out of date), so it could well be that by now notification is mandatory.  Even if it is, props to Hell for getting it out there.

FYI: Hell pizza really is very very good.  Think PIzza Express with attitude.  Even better you can get them in the Hell Pizza UK – well London with branches in Fulham, Shepherds Bush and Clapham.

My Response to “Putting a Price on Data” by Ian Hitt

Here is my rapidly put together (and therefore apologies for it not necessarily being totally thought through) response to Ian Hitt’s post over on Reputation Online about “Putting a Price on Data.”

Many marketing professionals think that client data is something they own, have a right to or an ability to sell. Most data professionals will know they’re wrong.  Good data is indeed a corporate “asset” and if utilised appropriately have a high monetary value but…

The thing about client data is that most people in the marketing profession just don’t really understand “data” – sure they can get all righteous about lifeblood, insight and segmentation but actually data itself is not that simple; data is not a database.

Let’s break it “client data” down and see if we can’t get some clarity.

“Client” who’s client?

cli·ent  n.

1. The party for which professional services are rendered, as by an attorney.

2. A customer or patron: clients of the hotel.

3. A person using the services of a social services agency.

4. One that depends on the protection of another.

So from a marketing database perspective there are two clients; the first being the paying customer of the agency (ala point 1) and arguably the data subject, the end user about which data is collected (ala point 4).

It doesn’t take a rocket scientist (or a data professional) to work out that actually when marketing companies talk about a “client database” what they are actually referring to is the later; a database of stuff about any number of individual people, often collected overtime under various pretences and situations.

In this context the client (albeit often unwittingly) is an individual for whom they rely upon the protection of data about them by the database “owner” – or data controller.

“Data” who’s data?

da·ta  pl.n. (used with a sing. or pl. verb)

1. Factual information, especially information organised for analysis or used to reason or make decisions.

2. Computer Science Numerical or other information represented in a form suitable for processing by computer.

3. Values derived from scientific experiments.

4. Plural of datum.

The key part here is point 1; data is factual information organised for analysis or decision making and is surely the cornerstone of marketing?

And so to my thoughts on Ian’s post.

A business does not “optimise the value of its database” it seeks to gain value from the quality of the analysis of the data held within that database.

Looking at a couple of Ian’s individual points;

“Volume is important but data quality is paramount. Every record has a value and the whole list needs to be viewed as part of the corporate asset.”

Quality of data is indeed paramount but the very traditional process of acquiring, storing and analysing personal data undertaken by the marketing industry is counter-productive to achieving high levels of data quality.   Why?  As an example think of some of the simplest personal data held by marketing databases; contact information.  My email address, telephone number, even my physical address are not concrete – they change in time.  It doesn’t matter how rigid one’s checking for a valid postcode or email address may be when gathering personal data is, if the data you are gathering naturally decays then you’ve failed.

Several marketing insight groups are starting to see the light here.  Why pay to acquire and store stuff that is by its very nature junk.  Far better to ask for the information as and when needed, never to store it (for anything more than easing end-user experience) and to just accept that 100% cleansed data is a myth – it can’t be done.

As for being a “corporate asset” well not really.  Firstly as with the example above, it is patently a liability to pay cold hard cash to gather, store, analyse upon and market to data that is incorrect.  Secondly a corporate doesn’t “own” the data per se.  I won’t get in to the philosophical arguments over whether data is in fact even “ownable” here but the asset lies not in the data but rather the relationship with the data subject and their willingness to maintain that relationship.

“Customer relevance is key, and marketers need to understand consumers in order to appropriately segment them and track their behaviour over time, so that they receive market information which is relevant to them.”

There is, in my opinion, value in trying to understand consumers over time – especially where the level of financial risk (normally through long product lead-times) is high.  However this is becoming harder and harder to do.  Aside from regulatory restriction the simple fact is that consumers are spreading their attention more thinly across an ever increasing number of online and offline properties.  To capture a picture of that consumer through any single database is likely to become less and less accurate.

Loyalty schemes are a good example of this failing.  Not your local coffee shop and their paper based card but the big ones, the Nectar cards of the industry.  To the consumer they offer a perception of value exchange based on their loyalty to certain brands, in reality they are price discriminators trying to force consumer choice into any single outlet within a vertical market – that’s why you only ever get a single supermarket, garage chain or clothing outlet per scheme.

But the reality of life is that average consumers don’t just use a single supermarket.  Take me for example.  I use our local Co-Op on a day to day basis, but they don’t sell a particular brand of cereal that #1 son likes, so we do a weekly shop in Waitrose or Sainsbury.  Of course if we are over the river in Thurrock we might pop in to the Tesco superstore or if at Bluewater we might hit up the local ASDA.  We are kind of loyal to Co-Op but situation matters.

So our share-of-wallet spending in Sainsbury (on the Nectar scheme) is not actually representative of our food spend.

And the same goes for any insight gathering activity.

The “simple” answer actually lies in flipping the model to where the consumer requests stuff from the marketing agency.  It’s a wonderful utopian idea, but one which I’m sufficiently pragmatic to accept is unlikely – at least anytime soon.

For me the mid-term solution lays in a third party providing aggregation for consumer behaviour at the bequest and under the control of the data subject, the consumer themselves.

This intermediary, a broker, would offer a service where the consumer can easily record, augment and share their data with businesses they want to.

This doesn’t mean the end of marketing insight – but it would spell the end of marketing databases.  The playing field would be levelled with marketing agencies competing on their ability to analyse the data to which they are given privileged access rather than who can build the biggest database.

“Emails and resulting data should be collected as a matter of course. There are numerous opportunities to collect emails from customers and it’s surprising how many companies don’t prioritise this activity. Emails should always be as personal as possible. It doesn’t take much effort to have one-to-one communications with thousands, or even millions of customers.”

The enlightened have long since realised that email based marketing really isn’t the way forward.  Sure if you send out a million emails for £1 and get a handful of responses it seems like great R.O.I – but honestly I don’t want to get into this, you all know there are better, smarter, more elegant solutions out there.

“Ensure compliancy.  It sounds obvious but ensuring your email collection policy is compliant with data law is even more important when you remember that the ICO has the power to fine you up to £500,000.”

For anyone that knows me, or even hears me speak on this issue, I apologise you already know what’s coming.

Why is it that whilst many CEOs “think that client data arrives on its own, costs nothing to source and has little or no value” that many Marketing Professional’s think that data compliance is;

• only worthy of a fourth place mention in a list of deriving value from data,
• a purely legal issue,
• and in the event of failure only going to cost £500,000?

Compliancy is at a minimum two part.  Sure remaining within the legal framework set out by the ICO matters – A LOT.  But don’t forget that actually any business holding personal data in the EU is also beholden to the higher and more punitive powers of the EU.

The second part to compliancy is the real sting though, and the one which is often (as here) forgotten.  Breaching data protection legislation may result in fines or restriction BUT it will most assuredly have a greater effect on a business’ reputation.

Consumer trust in businesses holding personal data is already under great scrutiny, breaching that trust could very well cost an awful lot more than £500,000.  Just ask Phorm.

Opting In or Opting Out – I Was Confused

Came across the usual “click the box if you want to receive…” signup on OnlyMarketingJobs.com today, except on second reading (you also second read these things right?) the confusion was apparent.

You’re opting IN for more junk by NOT ticking just to be clear.

Spotify’s New “Social” Release Fails Basic Privacy Test

How excited was I to see the announcements for the latest release of Spotify this morning?  It allows for connecting to friends – albeit only via Facebook, integration of your existing music catalogue and a few other bits of awesomeness.

BUT (and I really shouldn’t have been that surprised given the Facebook tie in) that the default settings for the installation are to share anything and everything from installation.

So anytime you create a new playlist it gets shared.  Unless of course you go and manually disable automatic updates.

Given all the flak Google got over Buzz and it’s presumptions on automatically opting people in, given all the grief Facebook gets for it’s over sharing it is such a shame to see Spotify falling into such a simple trap.

Oh and don’t even get me started on seeing adverts re-appear on my desktop version – I am a paid up member of the premium subscribers gang which was supposed to be non-advertising!

UPDATE: It gets worse.  After a few minutes use adverts are popups, and also taking over other areas in the UI.  On a netbook this is unacceptable as pace given over to my music is already squeezed and now it’s even worse.  Also audio adverts have re-emerged.  Not happy at all

Want to Transform Your Business? The Power of Pull

As a consultant a lot of my work since the late nineties has been looking at how by using semantic technologies, data navigation techniques and internet scale identity product strategy can be subtely tweaked to better fit the rapidly evolving needs of consumers first, business second.

Why? Well for anyonewho has read The Cluetrain Manifesto it’s obvious, for everyone else; quite simply when a business actually places the needs, wants and desires of their customers above those of the business (or it’s share holders) then they thrive.

Since being back in London I’ve been lucky enough to meet many interesting people sharing similar ideologies.  From the wonderfully enthusiastic Jonathan MacDonald and his “Every Single One of Us” movement to the truly inspiring millitant in Adriana Lukas and “her” Mine project.   All these projects, startups and thinking pretty well follow up on where Cluetrain left off, each takes a slightly different direction or stance.

Thus far though, for all their efforts I have yet to see any single project offer up good solid advise on why business should adopt the thinking of placing the consumer in charge let alone pragmatic guidance on practical use cases for identity, semantics and generally doing things in this way.

I can’t even remember how I stumbled upon “Pull” now earlier in the week.   Twitter most likely but I could see instantly that the author (David Seigel) and his team at The Power of Pull had obviously been paying attention to all the work put in over the years by a great many technologists, marketeers, anthropologists et al.

I’m not even going to try to describe the book, rather I will paste verbatim their own description below;  BUT for those that have heard me talk on identity, privacy, trust, semantics, data – in fact ANYTHING over the last ten years then you simply must go and buy this book, read, remember, acknowledge and move your business forward.

Anyway here is David’s own blurb…

How the pull paradigm and the semantic web combine to help businesses face the challenges of the future.

The Problem

On the Web today, we see millions of web sites, each of which presents web pages and documents. These are simply electronic versions of the old paper-based ways of doing things: writing checks, filing taxes, looking at menus, catalog pages, magazines, etc. When you search for something on Google, you get a list of web sites that may or may not have what you’re looking for, based on keywords found in the text. You have to look at each one and decide whether it answers your question. Google doesn’t know where the information or answers are; it just knows which pages have which keywords and who links to them.

Our information infrastructure isn’t scaling up very well at all. The average person now sees over 1,000,000 words and consumes 34 gigabytes of information every day. Mike Bergman estimates white-collar workers spend 25% of their time looking for the documents and information they need to do their work. One billion people are online now, and 4 billion have mobile phones. Exhaustion of IPv4 addresses (limit is 4 billion) is predicted for sometime in 2011. By 2030, there will be a minimum of 50 billion devices connected via internet and phone networks. Our information infrastructure is built to haul electronic versions of 19^th century documents for humans to read, and it’s keeping us from using information effectively.

The solution to our information problem is the semantic web and the pull paradigm.

The Semantic Web

The semantic web is nothing less than an overhaul of our information infrastructure, according to these basic principles:

• Electronic information will become unambiguous. Another word for semantic is unambiguous. In the Semantic Web, we declare what we mean in precise, standardized terms. Data that is semantic means exactly the same thing to any system or person who uses it.
• Data will become findable. Already we are seeing the emergence of the Open Web, where information lives online and can be found easily. There will be central repositories and central hubs that link information together. This is called “linked data in the cloud” and is the next trans-formation after services and software go online (see linkeddata.org). Humans now use 1% of all electricity to power data centers. The percentage will quadruple in ten years.
• Data will be reusable. We’ll keep all our data online in semantic formats and use it over and over by pointing to it. Data will become like Lego building blocks of information that can be combined and recombined to suit each particular task.
• Data will be interoperable. We won’t have to translate from one system to another. As an example, Edgar.gov will soon become a cloud-based hub for XBRL data from companies reporting results. Since everyone uses the same standards, all the software will be able to tie into the original sources of data and use it in the way that’s most meaningful to the subscriber.
• Devices will be ubiquitous. There won’t be any more computers as we know them. Apple OS and Windows as well as Google Android, iPhone, Blackberry, TVs, and book readers will all be replaced by Net-based screens of all sizes that simply see the web and do everything online. The market for netbooks is currently growing at 40% per quarter vs notebooks’ 20%. Prices will drop through the floor. Screens will be on your wrist, on your car dashboard, or on your wall, and they will connect to the net, where everything will take place.
• Systems will be flexible. We’ll start using flexible knowledge models and declarative systems that use data, rather than encoded processes, to drive business systems. Today’s procedure-driven software has already broken (most enterprises spend 80% of their IT budgets on maintenance). Tomorrow’s flexible systems will be adaptive – they will respond in real-time to business events and change themselves daily as the business environment changes.
• Real time. The semantic web lets us close the gap between what happens in the real world and when we know it. When the processes and products themselves generate the data, we will go to a real-time economy that will be much more efficient than our time-lagged way of doing things today.

The Pull Paradigm

We are making the transition from pushing information to pulling it, and that will change everything. Originally, the TV networks sent out signals for shows according to a schedule that benefitted their advertisers. Then, VCRs let consumers watch when they wanted and skip the ads. Now on-demand services let consumers watch a handful of TV shows whenever they like. The future is online, where you can find and watch any video ever recorded any time you like on any device.

• This will happen in all industries. People will pull information to them whenever, wherever, however they like. People will use online data lockers to store and guard their information, and that will replace today’s computers. It will power everything. We’ll store all our preferences there, so rather than managing music we’ll manage our preferences. This will allow us to (finally) use software agents to look for things on our behalf.
• Many processes will invert, in favor of the customer. No longer will we “push” things through the supply chain. Instead, customers will “pull” items through. Consumers will pull services on demand. Marketing will change from outbound messaging to responding to queries. We won’t search for things; we’ll say what we are looking for and let things find us instead. Software will cost 10% of what it costs today and will be much cheaper to maintain. Everyone will be both a producer and consumer of information that becomes part of the ecosystem.
• Account portability will be a leading indicator. When people can port their accounts from one vendor to another, the power in the relationship will flip. An early project is called Vendor Relationship Management, which will get the whole process rolling, in the same way that the video recorder did for television. Imagine if you could port your entire checking account or brokerage account to another bank and have the new bank understand everything – that’s the semantic web. It promises to cut the cost of health care by 25%, and that’s just the beginning.
• The result is the performance economy, where companies can’t afford to be on the other side of the table from customers. In the performance economy, you gain only when your customers do. Many industries will be flattened. It’s just getting started, but this model will come to dominate in the 21^st century.

See? Like I said – go buy this book.

Update: There is a podcast interview with David Seigel over on the excellen IT Conversations website with the good Mr Windley and for those wanting a quick 62 minute intro it’s a great place to start.