Due to a “massive” breach by the marketing firm Epsilon, an unknown amount of names and e-mail addresses were exposed that could potentially lead to phishing attacks by organized criminal elements. Epsilon is a service provider which handles e-mail marketing lists for hundreds of clients, including giants like JPMorgan Chase, Citibank, Target, and Walgreens.
The breach has forced banks, retailers and others to begin alerting their customers to be on the lookout for fraudulent e-mails. In traditional phishing attacks, criminals e-mail millions of people with a message that appears to be from a bank or other real business, hoping that some of the recipients will be customers of that business and will follow instructions to, for example, “update your account information.” Once the unsuspecting victim provides the criminal element with their account information, the ability to commit identity theft and other fraudulent schemes becomes very easy.
While the damage to Epsilon’s reputation will undoubtedly be tarnished by this latest breach, many of its clientele will also suffer collateral damage to their reputation as well (i.e. guilt by association). Courts have repeatedly ruled that it is the responsibility of the client to manage their own data. Yet, the irony behind all this is, unless you have the economic leverage to conduct an audit of a “cloud” service provider’s privacy policy and terms of use statement, the client is left to the mercy of that which they acquiesce when they “click accept.” The limits of the service providers liability will undoubtedly be as limited as possible under law.
In its Privacy Policy, Epsilon states, “Epsilon may also share the information with an affiliate company or another company in relation to a sale or consolidation of Epsilon’s assets, provided, however, that such companies agree to honor all of the privacy commitments set forth in this Policy.” The problem with a provision like this is that there is absolutely no transparency between how they use technology to protect consumer data if the client wishes to conduct an audit of their system. You basically have to take them at their word (today, we see where that got them), or go find somewhere else.
The question many of Epsilon’s clientele must be asking themselves after this latest breach is – are we doing enough internally and externally, by way of control mechanisms, to ensure that our client data is safe? This means starting with a paradigm shift focused around a Control Conscious Corporate Culture.