By now, there have been thousands of news stories on the security breach at Epsilon, a Dallas-based email marketing service provider. Many of the headlines have incorporated the names of some of the firm’s biggest clients like Chase, Target, or Kroger. Many of the headlines have seemingly tried to frighten consumers into reading the story by asking, “Has your email been stolen?” Others have tried to alert consumers to expect more spam – or more importantly from a security perspective – to be alert to phishing attempts.
People have been posting that they’ve received 5, 6, 10, or even 20 notifications as a result of the breach, but what’s the real story here? I look forward to reading the analyses of the security professionals, but as a consumer and privacy advocate, I’ve been mulling over how I see the Epsilon breach’s significance. Here’s how I see what should have been the bigger headlines for this incident:
“Who the heck is Epsilon and why do they have my data?”
One thing that should become obvious even to those in Congress who have lived under a business-hugging rock is that most consumers really have no idea who is in possession of our information. We don’t knowingly grant a specific firm permission to retain or use our data, and we would have no idea what company to approach directly if we had any question about our data. Allowing consumers the right to correct or ask for deletion of data needs to be accompanied by a clear statement as to who has our data.
“Companies have no legal obligation to report a data breach”
Given our crazy patchwork of breach notification laws in the U.S., companies here may have had no obligation to notify customers. Indeed, I can think of no state, offhand, that requires breach notification for “just” a name and email address, can you?
Should there be a required notification for name plus email address? I can already anticipate the objections, based on cost and risk that over-notification will allegedly result in consumers ignoring notifications. But if you do think that such breaches should result in notification because of the risk of spear-phishing, how do you reconcile that with the fact that the education sector considers names + email addresses “directory information” that they can publish or disseminate without breaching federal privacy laws?
The U.S. has failed, until now, to come up with an agreed-upon definition of “personally identifiable information” and “sensitive personally identifiable information.” That lack of a uniform federal definition puts us way behind Europe where definitions have been long-established.
“I unsubscribed, so why did they still have my data?”
Some consumers complained on Twitter that they were angered to get a notification because they had terminated any relationship with the company years earlier. In some cases, like the consumer who was surprised to get a notice from Red Roof Inn although he had not stayed with them since 2003, the notice reminds us that data lives on forever unless we explicitly demand its deletion from current and backup files – or until Congress imposes some regulations requiring automatic deletion of data after a certain period of time.
“Who’s minding the store on security for outsourced data?”
The issue of securing outsourced data is an old one, but if the Epsilon breach teaches anything, it will hopefully teach businesses that they need to pay even more attention to the security at the their vendors. There were attacks on email service providers in 2009 and 2010. The ones in 2010 got a bit more media attention and Brian Krebs did a great job of trying to expose the concern, but here we are six months later and there’s another huge breach. A Walgreens spokesperson who responded to an inquiry I sent as to why they had had a second breach of their customers’ data in recent months wrote, “After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.”
Walgreens asked for additional security. Did they actually follow up to ensure that any changes Epsilon made were adequate or did they just accept assurances? I don’t know, but it doesn’t matter whether you’re in the business sector or the health care sector – business associates and vendors are responsible for a significant percentage of data breaches and it seems apparent to this humble consumer that entities need to investigate and audit the security of their vendors as seriously as they audit and monitor the security of data they retain on their own servers.
Epsilon has much more data than just names and email addresses. It has a wealth of information that it data mines on consumers. The fact that those data were not acquired or stolen – this time – is a matter of dumb luck for consumers. But it is also a matter of dumb security – weren’t the data encrypted? If not, why not?
So… what do you think the headline should have been for the Epsilon breach?
Related: List of companies affected.
“Large Companies Complicit in Epsilon’s Breach”
Big business has abdicated the responsibility of information security to lowest-cost, third-party suppliers knowing that consumers and press will not hold them accountable for data loss. Consumers are totally justified in opting out of all e-marketing, and in many cases just taking their business elsewhere. Should we believe Epsilon has sole responsibility for our data and totally excuse the companies that trusted them with it?