It’s starting to seem like consumers are getting hack notifications almost as often as the Northeast has been getting snowstorms this year. This Sunday, I found myself the recipient of yet another notification – this one from kickstarter.com. By all accounts, this is getting really old.
You might wonder why I’m writing about the kickstarter.com hack in a retail-oriented blog. Well, just like consumers don’t think about retail in terms of ‘channels’ even though retailers are fixated on “omni-channel” everything, they also don’t think about the fine points of the difference between fund raisers like Kickstarter.com and retailers selling actual merchandise like Target. All they think of is “These people are collecting information about me and my bank accounts and are doing an awful job keeping it safe.”
In fact, a Facebook connection (and a very bright woman) who knows I’m involved with retailers wrote the following on my Facebook page after receiving her Kickstarter letter, “Hey, can you prevail upon the retail powers that be to stop asking for so much personal information. They can’t possibly still think they can keep peoples’ data safe.” Retailers may cry “No fair”…but consumers just don’t care.
I got similar comments to the post I made on Forbes about Target’s data breach. People who had never even shopped at Target, or who hadn’t shopped there in close to a decade got “the letter” from Target. I was one of them. As I tried to rationalize out my own letter, I thought “Well, perhaps I bought something on line from them a long time ago.” But I never became a member of their site, and I never expected they’d store my information for that many years. A couple of commenters were quite indignant, being taken completely by surprise at the fact that their data was stored at all. (Note: Retailersand others have to keep your information for a little while in case you want to return the merchandise or otherwise dispute the transaction. But how long should “a little while” be?)
Later, a fellow retail watcher suggested to me that I might never have shopped on Target’s site at all. They might have bought my name from another retailer and then filled in the blanks with information from a company like Acxiom. Acxiom is in the business of supplying businesses with marketing data. In fact, as a public service, the company put up a web site, aboutthedata.com, which will let you see the data they’re actually sharing, and offer you the opportunity to opt-out of data sharing if you like. However, they warn you that this will not reduce the number of ads you receive. In fact, they claim you’ll get more, less relevant ads if you do so. An informal poll of friends and associates a while back told me that the “hit rate” (the percentage of times people found themselves in Acxiom’s database) was about 65%. In an exquisite irony, some friends didn’t want to supply the information Acxiom’s site needs to find them in the first place.
I found my data. A lot of my “likes” were really wrong. A trip to Galapagos in 2012 and an appreciation for bedding from L.L. Bean led the company to assume I love camping. God…nothing could be further from the truth. Camping for me is sitting on a lawn eating food from a food truck. In any case, I corrected some data and left the rest.
The point is that this data is available to anyone who’d like to buy it for legitimate reasons (which boil down to getting you to spend money for one reason or another). And that’s the problem in a nutshell. Our personal data can be bought, sold and stolen, and we might have nothing to do with it at all. Did Target buy my data from Acxiom? I have no idea. I buy enough stuff on-line that it’s not impossible that I bought something from Target.com a few years ago. And then they went to Acxiom to fill in the blanks.
I think it’s time we called for more transparency. Axciom made a great start with aboutthedata.com. But let’s ask all the merchants of all kinds who capture our personal data to do several things:
- Let consumers know what data is being saved and how long they are saving it. It wouldn’t hurt to explain why they’re saving it as well.
- Create a consortium between banks, credit card processors, terrestrial retailers and on-line merchants whose sole job it is to create standards around the creation, retention, safety and security of that data.
- Recognize that NO standard, regardless how seemingly rigorous is guaranteed to protect data in an ever-changing world.
- Use the consortium I described above (Information Sharing and Analysis Centers or ISACs) to work together to evolve and enhance security standards on an ongoing basis.
We’ve wandered into a new world that demands these kinds of standards. Sometime in the next eight to ten weeks, spring will come and the snowstorms will stop. You can take that to the bank. I wish I could say the same about “the letters.” I fear I’ll keep getting them until the payment ecosystem itself starts working together to change its ways.