Editor’s Note: Data privacy and protection is a BIG deal, and it’s only going to get bigger. I say this as someone who is a libertarian at heart and believes that free market forces have a tendency to work themselves out without legislative intervention. That said, in the Wild West of the digital age Sheriffs are a necessity, and it is in the best interests of many industries, market research included, to develop self-policing procedures. As we recently discussed in this post related to the GRBN survey on Trust and Personal Data, our industry has a unique opportunity to lead in developing world class personal data protection policies.
This is a theme that Neil and Bob Seeman explore more deeply in todays post prompted by the recent Sony Hacking incident. It’s an important post to start 2015 with, and one that I hope all research companies take very, very seriously. It’s only a matter of time before one of the big digital data companies becomes a similar news headline, and we as an industry better be prepared for that day.
By Neil Seeman and Bob Seeman
The Sony hacking case reveals how easy it is for determined hackers to get inside a secure system. However, what about sensitive information that flows outside a secure system though very insecure systems – such as standard email? Few are talking about that – yet. The global market research industry needs to pay attention – now – and at the board level. Here’s why.
Consider an analogy to banking, where security is especially core to public trust – just like in market research. No country can afford a run on the banks. Imagine allowing unarmed bank employees to transport millions dollars of cash between the bank’s branches every day. However, nobody has thought of hiring Brink’s for email.
Email is not secure. Repeat: Email is not secure. Email with a password on an Excel spreadsheet/CSV, SPSS file or PDF is not secure.
Email is more like mailing a postcard – anyone with physical access to an email along its circuitous path from sender to receiver can read the email. Just like a postcard, an email passes through a lot of different people’s easy access. It gets copied to and resides on about six different computers before being read by the recipient. Each computer is a target. However, far less secure than a postcard, an email can reside on one or more of these computers and also be easily searchable – in perpetuity. You can talk to thousands of Sony employees about that. At least, when delivered properly, there is only one copy of the postcard and it can be easily shredded after being read.
Few people understand how email works. Most people think that email works similarly to accessing a website. A website’s information goes non-stop directly from the website’s computer to your computer and its screen. Websites work this way but email does not.
With a variety of readily available software, an email can be surreptitiously copied – or modified – whilst resting on any one of those six computers or in transit among them. To mention just one way that any 14 year-old computer whiz can hack your email in minutes, just go to YouTube and search “wifi email hacking”. Caution: you may not want to do the search if you want to sleep well tonight.
Almost all companies use email. However, there may not be an industry more reliant on emails to non-employees – and emails sent outside the secure corporate network – than the market research industry. The board of every market research company in the world, especially public companies, is legally obliged to know associated risk and monitor risk regularly – that is basic risk compliance. It cannot be left to an IT department. Similar to an expert such as an Audit Committee Chair, many public companies are now considering recruiting a security expert to their board to chair their Cybersecurity Committee.
Almost every panel company that we are aware of, and many market research companies, rely on email or social media to broadly distribute surveys or links to a survey. By definition, the industry often collects sensitive personally identifiable information (PII) including income and employer reviews.
Even though the respondent will consent to providing this information, he is not consenting to even a minor risk that his data will be hacked as a result of insecure email communications, thereby providing hackers potential access to medical records or social security numbers. The people who hacked Sony’s system obtained PII on more than 47,000 people, including former and current employees, consultants and movie stars. In the case of the market research industry, any one of the tens of millions of people who have opted in to an insecure system are potentially at risk.
The market research industry cannot afford to lose 100 terabytes of data in hours like Sony did. The hackers not only posted confidential Sony information on the Internet but they erased massive amounts of data, making the entire Sony internal computer network unusable. For this to happen to the market research industry would be a public relations disaster to the entire sector – even if it happened to just one large company.
This threat is not the unwarranted Y2K scare. It is a real and imminent risk to global commerce – especially market research, given its reliance on email to transmit information to even the most transient of survey takers.
Email security is vital to the industry from a business, cyber-security, and risk mitigation perspective, and, most importantly, from the perspective of maintaining general public trust in the industry. Many customers abruptly stopped using credit cards at Target upon the massive credit card hack that hit Target – but customers still could pay with cash. In contrast, if the Web-based market research industry loses the trust of people online, it could be decimated. Its very product is trust – trust that PII will be handled confidentially. And that is leaving aside the potential regulatory penalties and legal claims thereby associated.
With the future of the industry at stake, this is now an opportunity for the industry to show leadership where other industries have not.
When people sign up for a market research panel, they provide their PII and opt-in consent. Then, some data companies procure panel ‘sample’ from that company. A data firm then often emails out or texts the survey link to the bespoke survey and people answer the survey in the link for sweepstakes or rewards. These links may be secure or insecure. However, since market research companies want as many answers as possible to a survey they may not want to put in too many roadblocks to potential respondents – such as a 10-digit password (with jumbled numbers and upper/lowercase letters) or a secure password recovery method (one that does not rely solely on standard email to recover).
Even emailed “secure” links are generally easily hackable. If someone’s email has been hacked, the typical password reset method through email has also been compromised. It has been completely compromised if the password reset method does not offer multiple difficult challenge questions – like most banks have now established. If the reset method does not involve a manual type-in to the URL bar (address bar) of the reset link, as opposed to just clicking on a link, it may be a phishing scam perpetrated by the very same people who initiated the hack.
A person’s email account is the central location for almost all of his or her passwords. It is the key to their electronic soul.
Some data companies even send to their client – by standard unencrypted email – spreadsheets of attitudinal data including respondents’ email addresses.
And unlike in-house transactional data like at Sony, survey data are communicated less safely – and also less effectively – over insecure email. The market research industry should be a leader in Big Data analytics. It is difficult to build a ‘Big Data strategy’ if a company’s entire modality of collecting data is insecure and liable to easy breach.
The solution begins with either abandoning standard email-based communication or introducing higher-security measures as one might have on an internal corporate network. Rigorous password standards must be introduced. Do not encourage people to click on links in emails that encourage phishing by spammers. Transmit all PII, survey invitations and responses by secure encrypted channels or secure encrypted email. The industry must seriously consider moving to non-email based platforms or to the many secure specialized do-it-yourself platforms. Some (a small minority) of apps have been independently vetted as secure and private and do not require email input – yet this custom-made solution is potentially compromised by the reality that apps have a terrible reputation in cyber-security since they are capable of collecting (with user “consent”) exactly where a person is located or has travelled ever since they installed the app, Web histories, e-mail contacts, and connect to other ‘game’ apps that may be even less secure.
The market research industry can show leadership where many other industries are ignoring this time bomb. The industry has the most to gain – and the most to lose.
Bob Seeman is Chair of The RIWI Corporation, a global Internet data collection and risk company, Chairman of the Advisory Board of EOPN, a secure encrypted email company, an engineer and former Head of Strategy for Microsoft Network, UK. Neil Seeman is a Senior Fellow at Massey College in the University of Toronto and CEO of The RIWI Corporation. They are both non-practicing lawyers.