Sex sells. That is not news. This piece is not about sex, but it is about the lesson behind a rather salacious event, the hacking of data owned by Ashley Madison. There is a broader warning than just avoiding adultery.
Ashley Madison’s story is well known. The company’s website was a clearing house for people seeking extra-marital affairs. How many people frequented the site is controversial but what is not arguable is that millions of records containing names, personal details and credit card information were infiltrated and released to the public. The media is still sifting through the information to find public figures.
The nature of Ashley Madison’s business is obviously the reason why the breach is so captivating. It is also the reason why the breach is an important warning. The information on the site is material that few people would voluntarily disclose. Does anyone care if others find out they shop at Home Depot? No. So Ashley Madison’s unique client base set it up for higher risks. Other business owners may think they are in a more “traditional” business and do not have to worry. I think the lessons are the same.
Court decisions involving privacy and protection of information have treated 3 types of data as requiring extra attention. The first is financial information. Although some people do not care if others know how much they earn, for most it is a big deal. Add the fact that severe financial damage can accrue and it is a major problem.
The second is health information. Although the potential to physically harm somebody with information on their health is remote, damage can still occur. Would employers or insurance companies treat someone differently if they knew of certain conditions? Or consider the reputational damage if it became known someone had contracted a sexually transmitted disease.
The third category is more fluid. We can call it sensitive personal information, but what that covers depends on the information itself and even the societal status of the person. Sexual preferences, some of which Ashley Madison stored, can fall into this category but there could be a wide variety of things which people just want to keep to themselves.
In today’s world everybody wants to collect data about customers. This is sometimes part of a concerted effort to stay in touch and market to them but it might just be “in case we need it”. Usually there is no inherent problem in collecting that information, although certain things, like social insurance numbers, are regulated.
Strip out the titillating details from the Ashley Madison case and an ominous issue becomes clear. Storing any information is a potential liability. If it is just name and address, the risk of harm is small (unless you trade in very sensitive activities as Ashley Madison did). The more you add in the three categories mentioned above, however, the more the risk rises. Many businesses keep credit card information on file for their own convenience and the convenience of customers for future orders. That financial information is dangerous in the wrong hands.
In a similar vein, it is common to use customer relationship management software, or CRM, to improve sales performance. Savvy salespeople may collect names of kids, spouses, birthdays and similar information so they can personalize customer contact in the future. There is nothing nefarious about that on its own but the information could be used for identity theft in the wrong hands.
I am not saying you should never collect any information on customers. Commerce would grind to a halt without contact information at the very least. The thing to take from Ashley Madison, and other similar breaches over the past years, is this: assume your data collection will be breached. You will obviously implement best practices and do your best to make sure it does not happen but if a determined hacker wants to get your information, very few systems can withstand this. So accept that everything you have could be made public.
With that assumption, what does it mean for your data collection practices? Put another way, do you have business reasons to collect every piece of data you now ask for and do those business reasons outweigh the potential risk? If so, OK. You are not eliminating risk, but if it is necessary for your business to operate optimally, then it is one of those risks every business must assume. Appropriate risk management strategies should be implemented.
But if you are collecting data just because it is good to have and you might have a reason to use it in the future, think hard about the liability. What would happen to your reputation if you had to announce that certain information had been stolen from your systems? Beyond reputation, would your customers sue you into oblivion for failing to protect their information? That is the prospect Ashley Madison now faces.
There are technological and legal strategies you can use to manage the risk but you will never eliminate it. If you have not done so already, an audit of your data collection and storage practices will help identify the weak points. From past experience we know that most businesses will just continue as usual and hope they are not targeted. Only you can decide if that approach is enough.