How to combat delivery ramifications after a data breach
Following Marriott’s data breach, FTC regulations required the hotel chain to reach out to its entire email list of customers, informing them of a potential leak of their personal information.
Outside the obvious negative impact (loss of customers and brand trust), a breach also results in significant marketing expenses (the company must rebuild its brand and customer database). A recent IBM study places the cost of a data breach at $148 per record affected.
But to what extent will your email deliverability be impacted? Email deliverability experts know sending a message en masse to a complete database, without filtering out unresponsive or inactive email addresses, could greatly and negatively impact a sender’s reputation. Why? Because the brand is sending emails to addresses that have indicated (through inaction) they don’t want emails from that brand.
Mailbox providers (MBPs) recognize this behavior. To combat this, companies working with large email service providers may proactively opt to send emails to certain lists and MBPs warning them of the emails they are about to receive. The intention of an advanced announcement is to help MBPs understand why there is a sudden change in behavior. A spike in undeliverable emails and users reporting messages as spam will impact a brand’s email reputation for a time afterwards. Since your brand’s reputation is already impacted by the breach itself, it’s important to take the necessary steps to combat the deliverability impact that could occur.
The legal ramifications of a data breach and the notifications that might need to be sent to past unsubscribed users could be significant. While laws like CAN-SPAM and CASL allow for notification-type emails to be sent in this scenario, the content requirements need to be carefully considered to avoid a potential violation. Simply stick to the facts and don’t share anything that could be construed as promotional.
Do not save unnecessary data
Combat deliverability implications by utilizing data minimization tactics. Be smart about what data your company truly needs to gather in the first place and if it is deemed unnecessary, do not save it. If data does not exist, it cannot be stolen. To determine whether data is necessary, ask if you can complete the job you need to do without certain information. If the answer is yes, do not save it.
Additionally, when storing directly relevant data, encrypt it (where possible). Encryption adds another layer of security and, while it might cost more time and money in the short term, it will be well-worth the investment if faced with a data breach. In November, Marriott confirmed a total of 5.25 million unique guests had their unencrypted passport numbers stolen. The hotel chain said they would work with guests to determine if fraud occurred, and if so, they would cover the cost of a new passport (approximately $110 per passport). Marriott needed to have those passport numbers for identification purposes, but did they need this information to be stored unencrypted? No. Could they have saved millions of dollars and their brand’s reputation by encrypting their data? Yes.
Get rid of data after a certain amount of time
When it comes to tax documents, it’s standard protocol to save any relevant information for three years. Data storage isn’t as clear cut but, to avoid deliverability risks, you should regularly review the data you save. While reviewing it, ask yourself if you still need all of the information, how often do you use it, how much will you use it going forward, and then determine when it should be deleted or potentially anonymized. Last month, a man in Singapore leaked the HIV status of more than 14,000 individuals. The data exposed dates back as far as 2013 and the severity of this breach could have been minimized had older data not been saved for so long.
Prepare for the knowledge gap that comes with employee turnover
Preparing for the…