Retailers have a vested interest in keeping shopper marketing data away from prying eyes. They likewise have a vested interest in safeguarding consumers’ financial information against trust-eroding security breaches. But are retailers doing enough to protect data and address the risks associated with capturing, storing and crunching it?
Retailers we approached weren’t eager to discuss their security measures – “The first rule of security is you don’t talk about security,” said one exec – so we posed our questions to industry observers and insiders, including two former supermarket executives.
What types of data do retailers collect and do they require different levels of protection?
Mark Hertenstein: Retailers collect shopper data in two forms requiring two different levels of security. The first is transactional data, which holds all the information regarding how many of Product A am I selling versus Product B or C. It’s critical information for the retailer and how they run their operations as well as for manufacturers and how their products are performing at that retailer. From a security standpoint, not much can be done with the data because it’s not linked to specific consumers. The second level of data links to personally identifiable information, or PII. Once you start collecting that kind of data, including loyalty card information, you have a responsibility to consumers to protect it because it tells so much about their behavior as consumers.
Mark Heckman: If someone gets their hands on frequent shopper data, where you have emails and purchase history and things like that, it’s of little consequence compared to a breach of financial data. When you start collecting transactional data at the household level, you want to make sure it’s secured behind a firewall, but rarely does a breach become an issue on that level of data collection. The big concern is the financial data, and though it’s a much different animal, it’s all kind of bleeding into one. Many retailers offer private-label credit cards, or they house data that provides a path to people’s bank accounts. That requires a whole different level of security.
Do hackers and fraudsters have any use for non-financial shopper data?
Heckman: If you steal my data and now you know I like canned tomatoes, that’s a no-harm, no-foul situation. Shoppers expect this information to remain private, but it’s not the same as if their financial data were compromised.
Hertenstein: When this type of data hacking goes on, they’re really just trying to get into a database to gain access to individual consumer accounts as a starting point, and from there they hope to gain access to financial information.
Target’s attacker used a contractor’s portal as a point of entry and eventually got to the POS systems, so could a bad guy breach a shopper marketing database and worm his way to consumers’ financial data?
Ron Lunde: Yes, someone’s purchase history can be a back door to credit card information — unless there’s a lock on that door. Remember 33 rpm records? You put the needle on the edge and it went all the way to the inner edge. That, in essence, is what a hard drive disk does, so once someone is in the system, he can start on the outer edge and work toward the inner edge to find information. Now, a hacker doesn’t care who you are; he just wants your credit card number. And once he has that, he doesn’t care if you like Hershey bars instead of Mars bars, but that may be his point of entry.
The way retailers are collecting, storing and using data, what are some of the vulnerabilities?
Tulay Girard: Vulnerabilities can stem from insufficient hardware and software tools, and also employees’ risky behaviors while using the internet. One click is all it takes for malware to take over a computer or server if sufficient security software programs and a firewall are not in place and updated. Customer data really needs to be protected on a different server than the one that employees use to check emails and use the internet. Customer data can be backed up to a storage space that is connected to the internet only when necessary.
There’s HIPAA to safeguard people’s health data. Is there a law governing how retailers collect, store and use consumers’ personal information?
Fernando Bohorquez: Yes and no. There is no one consumer federal privacy law. Instead, we have a broad consumer protection law under the Federal Trade Commission Act that generally prohibits deceptive and unfair trade practices applicable to consumer privacy, and a system of federal statutes that target industry sectors and specific commercial activities. These federal laws overlap with numerous consumer privacy and data security state laws and regulations and various industry self-regulatory programs.
Staying current with technology seems like a reasonable security measure. Are retailers on top of this?
Hertenstein: I think security for most IT departments is an important issue. They are aware of it, they are working on it, and when they’re vetting vendors to upgrade systems, what security precautions are in place is a question they ask. But there’s also the budget to consider. You have to keep upgrading your IT system over time, but you’re not just going to throw out an entire system and bring in a new one tomorrow because it has new security features.
Heckman: Retailers have a lot of catching up to do. Several major retailers haven’t installed chip card readers. Walmart made a strong push to roll out that technology in their stores, but other retailers are pushing it off. There’s a tremendous amount of exposure out there just because retailers have not invested in updating their technologies.
You’d think the recent spate of breaches would have retailers on their toes, but are they instead exhibiting what security industry experts call cyber fatigue?
Heckman: I do think there’s a general feeling of complacency in the retail industry when it comes to allocating dollars to security just because we tend to be so reactive to the day-to-day rigors of staying competitive. Investing in security and taking the extra steps to make sure customer data is protected doesn’t show an ROI. It’s not discussed until there’s a problem and you’ve lost market share and revenues due to a data breach. It needs to be talked about and there needs to be somebody in the organization whose job it is to make sure the systems are being updated commensurate with the sophistication of the criminal element that’s trying to get into them.
Who owns shopper data and who has access to the data?
Hertenstein: The retailer owns the data. In some cases they will allow people to utilize the data for analytics purposes. In other cases retailers do cooperative programs with manufacturers. There are a lot of different ways retailers will allow access to data for specific programs or initiatives.
Heckman: What retailers typically do is give a brand remote, web-based access into a certain segment of data, separate from the core database, so that they can do some analysis or look at promotional effectiveness and those kinds of things. But, typically, that data is not attached to a name and address. It’s hard for me to think of any retailer that would allow a third party to have both the shopper data and the customer information in their control.
Girard: Disreputable retailers, on the other hand, might sell the data for profit to advertising or database firms. I remember entering a sweepstakes offer and all of a sudden I got bombarded by junk email. Somewhere in the terms and conditions, they may state with fine print that customers are agreeing to receive marketing communications from affiliate companies.
What are some of the security trends and challenges you see for retailers on the horizon?
Bohorquez: Everything and everyone is going mobile, and retailers are increasingly leveraging mobile technologies. More and more retailers are using in-store web beacons and similar technologies to track consumers’ in-store location data, analyze consumers’ purchasing activity, and push relevant, real-time, in-store promotions. Along with that comes the responsibility to alert shoppers that tracking technology is being used and provide them with opt-out instructions. Consumers’ concern with privacy and data security is sure to increase as commerce and marketing increasingly moves into the mobile space and as companies begin to leverage the Internet of Things and related technologies to communicate with consumers in real time and on location.
Lunde: The Internet of Things is about to explode and that creates so many potential hack points, so security needs to be developed around that. The economy is built on big data. Kroger and Amazon already realize that their data is more valuable than the products they’re selling because it informs their business decisions. But if there’s no data security, the system breaks down because if people don’t trust the system, they’ll figure out an underground way to do business. Big data is like paper currency; its value depends on trust.
Bohorquez: The winners in this emerging bricks-and-mobile marketplace will be the retailers that understand the future belongs to companies that respect consumer privacy and data security as a core business value.