Customer Privacy Is Nothing to Kid About
Customer Privacy is nothing to Kid about
Satellites watch your house, your office, and your children’s school. Traffic cameras follow your daily commute turn by turn. Software watches where you surf on the web, tracks your eyeball’s movement across pages, and calculates each click, pause, and impulse. This software predicts where you will go next and guesses your interests by popping up images and offers to tempt you to act now.
“New gadgets installed in cars will be able to tell insurers how many miles drivers have logged, what times of the day they drive, and even how fre- quently they abruptly stop and start. Other incarnations of the technology involve GPS devices that can even tell insurers precisely where drivers have traveled, and if they obeyed local speed limits.”
—Red Tape Chronicles, http://redtape.cnbc.com
Even your car spies on you with its GPS (your phone may be an accom- plice, too, as are other devices in your home and office). Your movements, each tenth of a mile, are measured. In-car computers log each press on the accelerator and brake, speed, and condition. E-ZPass, parking meters, gas purchases with credit cards, and loyalty cards all generate mile markers detailing your customer journey.
In the background and around the world, unbeknownst to you, third parties harvest this information, enhancing it with the other information they have gathered, modeled, and scored. Information about you is pack- aged, and your digital persona is sold to the highest bidder. Worse yet, it is sold as often as possible to anyone who will pay. Your information, your
128
interests, and where you spend your time is packaged and sold by local, national, and global vendors.
So, what does this mean to business owners?
How much is my data worth anyway?
The two stories that follow shed some light on customer data breaches and customer identity theft. The stories are not related and Story #1 is an illustrative account told by security experts to depict standard operations in identity theft rings. They highlight why companies of all sizes and across all industries must require more stringent customer information handling processes. The most shocking aspect of these stories, which are just two among thousands, is how simple and easy it is for the thieves in each sce- nario to steal customer data.
What the stories do not show, of course, is the pain, annoyance, time, effort, and suffering that each of the customers went through to reverse the transactions, adjust their accounts, and repair their credit. The total cost of these crimes is many times what the thieves actually stole.
Story #1
June 24, 2008, Bangalore: Chandri receives a message back from “RBL Ventures,” asking him to show them a sample of 100 transactions so that they can evaluate the data. Four hours later, they email him back, offering $12 per usable card. He emails half the data. RBL responds an hour later, saying that there is usable data on 42,174 valid, separate cards. They offer to pay him $506,088 for those cards and will wire the funds to his bank account. He emails them his bank account information.
June 24, 2008, Bucharest: Elescieu gets the first 50,000 credit card transactions from “Reliable Supplier” and runs the numbers through a program that spots duplicates and weeds out cards known to have expired or been cancelled. He subtracts another 2,000 for good mea- sure and offers $12 to a seller he thinks is inexperienced.
June 25, 2008, Bangalore: Having confirmed that the funds are in his bank account, Chandri sends the other 500,000 transactions and gets a wire transfer for $464,088 for 38,674 cards.
June 28, 2008, Bucharest: Elescieu takes the credit card data to an associate who manufactures counterfeit credit cards.
July 12, 2008, Bangalore: Chandri buys a new car for cash, and takes his family shopping. He invests the money in bank CDs.
July 14, 2008, Bucharest: Elescieu distributes the counterfeit cards to a ring of associates who will use them quickly, primarily to buy high ticket items that can be resold for cash. He gets a cut of the cash they raise in return for his promise to provide more counterfeit cards in the future.
July 28, 2008, Moultrie: Morgan gets her credit card statement in the mail and finds $4,326 in charges for purchases of consumer electronics and jewelry in several European cities. She immediately calls her credit card issuer and reports the fraudulent transactions to a customer service representative, who cancels the card and tells Morgan that she need only pay for the purchases she made. Her new card will be mailed to her in a few days.”
—Transaction Trends, December Data Security Investigations, “Anatomy of Two Breach Scenarios with Two Very Different Outcomes” by Richard H. Gamble, gamble10@earthlink.net
Story #2
“Illegitimate customers are placing orders for flowers using stolen credit card information. The orders are typically placed via fax, email, and/or hearing-impaired relay calls. The perpetrator then requests that the florists wrap the flower arrangements in various amounts of cash and bill the difference to the credit card number(s) provided. These orders have been known to reach $4,000. A shipping address for the order is then provided to the merchant.
In some instances, the perpetrators have been known to hire an unsuspecting accomplice to pick up the flowers in person. This accom- plice is then instructed to ship the flowers via UPS or the mail.
When the true cardholder receives the floral charge on their monthly statement, they will initiate a chargeback, as the order was placed without their authorization. As a result, the merchant will become liable for the fraudulent sale.”
—“Visa Alerts of Floral Credit Card Fraud,”
The florist story above is especially galling since it appears that the employees at the florist are going out of their way to meet a customer’s needs by wrapping cash in the bouquet.
Missing pieces—just a calculable piece of the puzzle
Businesses have to think like a customer and be aware of how easily cus- tomer data can be stolen, manipulated and fraudulently manufactured and used. The CxC Matrix depicts how the missing pieces of a customer’s digital mosaic are easily filled in using predictive models and algorithms. Simply put, customers are not that unique. Consumption and purchase patterns, delivery and payment preferences follow similar paths that make differenti- ating real behaviors from manufactured or simulated behavior near impos- sible to distinguish. As more channels become digitized and web connected, customer activities will become even more transparent and more easily simulated. More data constantly becomes available as digital television and radio behavior is captured per click. Favorites on both are readily available. As customers unknowingly link members of their households, their social networks, their work relationships, digital identities will become more vul- nerable to poaching, phishing, eavesdropping, fraud and theft.
So, what do your customers do? Stop using credit cards? Disconnect their internet connections, GPS, satellite radio and cable television? Stop traveling
for business? Not likely. Yet, regardless of what they might think or how they might try, customers are not that unique, and they likely make the majority of their purchases locally within four miles or 15 minutes of their homes and workplaces. The digital breadcrumbs from census data, surveys they com- pleted, loan applications, health club and group membership applications, health records, sweepstakes entries, or even pharmacist forms are just wait- ing to be assembled with a high degree of accuracy—even if your customers don’t approve or assist. Even a novice data assembler, identity hacker, can match home and business addresses to demographics and publicly available data and, like a video simulation game, begin playing out scenarios acting like hundreds to thousands of individual consumers.
Electronic data is everywhere and growing
In case you think the news media or a couple of individuals are overreacting to data theft and easy access to personal and confidential data, please go through this quick exercise.
Step 1. Go online to www.Google.com.
Step 2. Type “Attendee List” in search window.
Step 3. Select “Advanced Search,” go to options under “File Type,” and select “Microsoft Excel (.xls)”
Step 4. Click “Advanced Search” or hit “enter.”
Step 5. Take a look at the Excel files presented. No, don’t open them. They are private information.
Step 6. Edit the search box by adding “Mike” to the front of the search statement.
Step 7. Reexamine the files.
Hopefully, after a couple of people read this book, these files will become harder to access and will be more protected. Just maybe, companies, indi- viduals, churches, and membership organizations will protect information more seriously.
Is this identity theft? This entire exercise takes about 90 seconds, and if anyone has wised up to this application and no results appear, you can spend another 90 seconds experimenting with words like “name,” “phone,” “home,” “addr_2,” and other file types to see what pops up.
Get scared, exercise caution, and read your statements
You and your customers should be scared because customer data moves around much too easily. Customer data is easily monetized and too lazily shared.
A 16-gigabyte data storage card, the kind used in a camera, phone, or GPS, is the size of a thumbnail and weighs half an ounce. It can hold the name, address, phone number, email address, and information about every individual in the United States or the name and address of everyone in China. Sending that same amount of data as an email attachment takes less than 15 minutes on an easily available computer network.
Banking, health, credit card, and relationship data should not be directly traceable to individuals, families, households, and companies. Businesses and individuals exchange data too freely across unsecure networks, on pieces of paper, in mail, on the phone, in emails, and in web order forms.
This is an unfortunate artifact of antiquated systems design. As data is exchanged between companies, third parties, and outsourced service provid- ers, the emphasis is on speed and efficient transaction processing. Individu- als and customer data protection simply receives less attention.
Part of the issue is reliance on third parties for billing, collections, and customer service. Information needs to be portable and complete to recon- struct the customer situation. This is the only way to create situational awareness for all of the parties serving the customer and performing trans- actions and contacts on behalf of the company.
Information systems groups and technology companies have always had a blind spot when it comes to customer data management. This fun- damental flaw comes from an incomplete vision, a short-sightedness in
customer information design. The customer information is subservient to the demands of the transaction, accounting, and financial systems. This is why, to this day, it is so difficult to track all of the items in a customer order and all of the contacts preceding and following a customer transaction.
Businesses race to get new customers and minimize the customer’s inconvenience, asking for substantial amounts of information in the process without even realizing it. As a result, customer information systems have been patched together, often based on tricking customers into believing that they are dealing with the same company or department. This is to promote the illusion that the customer has not been handed off to another depart- ment, another set of systems, or another company in another country. This deception has built an information network that is itself easily deceived.
Your business should use the CxC Matrix as a tool to audit your personal data protection policies and procedures at each contact point. The Matrix can list what business and personal data is exchanged and available at each contact point, what governance and safeguards exist at each point, whether data is encrypted or which data elements are exposed and why, where third party data usage agreements exist, and where data security and monitoring procedures are in place for each system.
Your business is challenged with reducing the amount of time that cus- tomers have to spend identifying themselves (authorizing transactions), while, at the same time, assuring the security and authenticity of each contact. In most instances, this identify requirement needs to take place prior to the exchange of any information in any contact. This all takes place before or simultaneously with preparing the contact point with the right message, the right offer, and all of the message components to ensure an optimum customer experience.
Businesses are failing the customer data protection test
First, there is no real test for ensuring that data is not misused, neglected, or shared unlawfully, intentionally or unintentionally. Customer data is just too portable.
There are a number of government and business groups taking this very seriously, but they are simply outgunned by opportunistic data pirates that game the system. Data pirates collect real dollars through fraud and extortion.
Government, regulatory, and trade organizations use a number of secu- rity, storage, encryption, and customer exchange standards, but Figure 11.1 shows that these are not working.
Note that a couple of the data breaches, particularly TJX and Heartland systems, were targeted by malicious computer software that stole data directly from the credit card processing servers and went undetected. While a single breach causes alarm and concern, the fact that these two highly reputable and specialized companies were breached and did not know it for extended periods of time is enough to justify paranoia.
Many of the companies listed on the table have gone through formal data and information systems audits to certify that they adhere to Sarbanes- Oxley (SOX), Graham Leach Bliley (GLBA), Payment Card Industry (PCI), or the Health Insurance and Portability and Accountability Act (HIPAA). Yet, these companies and many others like them are losing customer data at an alarming rate.
Most people will likely be shocked by the brands highlighted in the breached data table. How is it that our most trusted institutions in govern- ment, medicine, health care, financial services, and education lose so much data? They use names with addresses, Social Security numbers, and phone numbers. This data should never be together in a single database because doing so makes it an easy target for someone who wants to use it to apply for a loan, get a credit card, impersonate someone, or destroy someone’s credit or reputation.
What are the odds that any of this information is yours? Likely.
Figure 11.1 below is a subset of one year’s recent customer data breaches collected from publicly available sources. The list is frightening because of the millions of customers affected and the lack of adequate customer data protections.
Figure 11.1
Company
Alleged Number of Customers Exposed
TJX
2,400 stores, US & Europe
Retail giant TJX said that a computer-security breach stretched back 10 months earlier than the company originally thought, compromising credit and debit card data, drivers’ license numbers, and names and addresses.
45,700,000
Express Scripts
Express Scripts received an extortion letter including personal information on 75 members, including their Social Security numbers, addresses, dates of birth, and in some cases, prescription information.”
—Express Scripts website
50 million prescriptions
Horizon
More than 300,000 members’ names, Social Security
300,000
Blue Cross
numbers, and other personal information were
Blue Shield
accessed on a stolen laptop computer.
(Newark, NJ)
Kraft Foods (Northfield, IL)
A stolen company-owned laptop contained names, maybe Social Security numbers of customers.
20,000
MTV
Networks (Los Angeles)
Confidential employee data breached from outside: names, birth dates, Social Security numbers, compensa- tion.
5000
HPY—
Heartland Payment Systems (Princeton, NJ)
According to The New York Times, thieves stole data undetected from May 2008 to late fall 2008. More than 500 financial institutions were affected. Customers included more than 250,000 businesses ranging from restaurants to retailers to payroll systems.
Unknown total number of indi- vidual customers; 100 million credit card transactions monthly
Pennsylvania
Voter website programming error allowed anyone on
30,000
Department
the Internet to view voter data: name, date of birth,
of State
driver’s license number, political party. Some had last
(Harrisburg,
four digits of Social Security number.
PA)
For a running list of data breaches reported on a monthly basis, see www.privacyrights.org/ar/ChronDataBreaches.htm
Protect your customers, protect your business: identification, authentication, and authorization
Business, accounting, and financial practices have not evolved to accom- modate the needs of a digital age, which requires a whole different mindset regarding identification, authentication, and authorization. Each of these functions is required for every customer contact, but in the new digital world, each element has to be treated separately in order to ensure a customer’s privacy. Companies that take short cuts in order to complete transactions and data exchanges more quickly and efficiently continue to be vulnerable to fraud.
Consumers have personas based on where they live, where they shop, what they buy, and how they buy. Your company needs to leverage this information, most of which you already have, in order to more rigorously identify customers and more closely meet your customers’ expectations. This approach is not new and is most often used in fraud detection on credit card processing networks, but it is obviously not used enough or used correctly. This process works better for repeat customers than first time customers, but it should be reasonably executed by most companies.
According to a report by the Ponemon Institute, a Tucson-based research group, customer data breaches cost companies about $200 per customer with 40 percent of the cost attributed to losing customers to lack of trust and confidence. While breached data and identity theft are not the same issue, customers suffer the damages and pay the expense of repairing their information and reputation. Customers are the most vulnerable and least in control of their own information.
Customers should be paid when companies use their data
One solution to the customer data problem may be to require customers to manage their own data, which might also mean that only companies with customer permission can access customer data. In other words, no company would be allowed to use the data unless first approved by the customer.
Moving data control and access to the customer might also involve custom- ers selling their own data to companies for marketing, research, and list sales as is already taking place today. But customers would receive a statement telling them who is using the data and they would be able to control the types of use. The conclusion is that customers should be rewarded for shar- ing their data and should also be provided a data usage statement showing which companies use and store data; for which transactions and purposes; where the data is used and stored; how often and recently the data was accessed; and the purpose.
Companies using customer-owned and managed data would have a lower fraud rate and a vested interest in ensuring that the customer information is absolutely verifiable. Customer-owned data would also relieve companies of any implied liability from misuse or incorrect data—two issues that are likely to grow in the coming years as more information is digitized and customer transparency broadens.