Epsilon is merely the latest in a series of publicized, highly embarrassing incidents for retailers where they are taking a consumer black eye for breaches, ethically questionable activities or gaping security holes that were entirely handled by third parties. Whether it's supply-chain management holes perpetrated on a multi-billion-dollar retail chain, SEO efforts against JCPenney or data-backup screw-ups that crippled the American Eagle Outfitter's site for eight days, retail IT execs are learning that as long as they are going to be blamed for what third-parties do in their names, they might as well take a much more active role in beefing up protection of all customer data.
Contractual language requiring performance levels and appropriate procedures is nice, but it does little to prevent disasters. Actively spot-checking performance, with IT staff periodically doing sneak inspections with all third parties that handle crucial data, would be a move in the right direction. But by themselves, audits are expensive (and thus undercut much of the business case for outsourcing these functions in the first place) and don't really solve the problem unless the standards for handling that data are raised.
And it is a problem, even if a retailer's IT group isn't even slightly at fault. How many consumers this week firmly believe that it was Best Buy or Walgreens that suffered an E-mail data breach? Most of the chains did everything they could to throw Epsilon under whatever bus could be found, not that it's doing much good with consumer perceptions.
Best Buy's statement was typical, with a headline that said "Best Buy E-mail Vendor Epsilon Reports That Some Best Buy Customer E-Mail Addresses Were Accessed." The statement was strong in its wording that Epsilon got breached, not Best Buy.
Such nuances don't play. If a consumer gives Best Buy an E-mail address and that address gets stolen, it's Best Buy's fault even if Best Buy didn't do anything wrong. No one ever said life was fair.At a glance, it's easy to say that these chains erred because they all chose to retain the services of this E-mail vendor. But it's not nearly that simple. First, it's not clear yet if Epsilon did anything reckless to allow such a breach. Second, even if it did, there are some practical issues here about how many companies can truly support the efforts—E-mail or otherwise—of this large a set of companies.
A few weeks ago, the CIO of a major brand was discussing an internal outsourcing contract issue. The situation involved a major IT blowup, a move that many within the retailer blamed on the outsourced vendor. After the smoke cleared and tempers calmed, the retailer quietly renewed the contract of this vendor. The vendor involved was one of the largest vendors in retail—with lots of marquee retail names on its customer list—and that was the key issue. Unless hard evidence of something truly reckless, illegal or malicious—the proverbial smoking gun—materialized, changing vendors couldn't be justified.
"When it comes to running high-availability projects of this size, how many others have the experience or manpower to do it?" the CIO asked, adding that there's never a guarantee that a different vendor wouldn't have made the same type of screw-up. Add to that the cost of transitioning, the many months of slowdowns as the data is transferred and the practical lack of any meaningful advantage to the retailer, and it's easy to see why these large outsourcers have staying power.
With Epsilon, the same issues crop up. What would make it worth the effort to switch E-mail marketing firms? There's also safety in numbers. As long as Epsilon is being used by so many major retailers, it feels safe to retain the company.
What's missing are the data security standards that would make big outsourcers places where there's not just safety in numbers for retailers but also actual safety for customer data.
Chains are generally quite good at protecting the data that some outside entity requires them to protect, such as payment data (PCI), shareholder information (Sarbanes-Oxley) or medical data (HIPAA). Unfortunately, this has sometimes had the unintended effect of making data that is not under some legislative or industry requirements seem less critical.
How many huge breaches of such information have to happen before more chains will require internal rules protecting such data? Under those rules, third parties would be scrutinized and monitored much more closely. Are a million E-mail addresses any less valuable than payment-card numbers? What about CRM files? Lists of prescriptions? Inventory files? Supply chain records?
Of course, making the business case for meeting PCI, SarbOx and HIPAA requirements is comparatively easy. Someone else has made those rules, and there are quantifiable fines when those rules are broken. Raising the bar for security of other types of customer data will be a lot more difficult—not just because there's no big financial stick, but because there's no set of defined rules for a data security standard.
There's an easy way to solve that second problem. Every retail chain already has to deal with PCI requirements, so make that the baseline for handling all customer data. That approach has the advantage of simply being an expansion of a security standard that's already a requirement.
The hard part will be finding—and funding—a way to actually make all customer data as safe as payment-card information.