Recent filings in the SP Richards’ (NYSE:GPC) DataGate Federal lawsuit have detailed what any hacker or security expert would call a Trojan horse. In computing, Trojan horse, or Trojan, is any malicious computer program which is used to hack into a computer by misleading users of its true intent.
Many dealers do not understand or appreciate the significance of data theft and how it has skyrocketed into a multi-billion dollar criminal enterprise. All of today’s professional hackers are after your data, including purchase history (buying habits). Simply your name and address is valuable to hackers and can be devastating in the wrong hands. All the security experts agree: Always shred anything with your name on it.
So what about your business data? Do protect your customers’ data? Do you protect it like your business depended on it?
The top criminal hackers aren’t generally interested in personal info on 1,000 companies or individuals. These professional hackers are after tens of thousands or hundreds of thousands of records. Allowing your sensitive business data to be uploaded to a central depository is putting a big red bow on it and saying, “Here it is hackers, come and get it.”
And that may have already happened earlier this year when ECI was hacked. You didn’t hear much about it, you never do. Of course they claimed nothing was compromised. The truth is that it is usually impossible to tell exactly what happened, what the hackers got, and what data was compromised until it shows up for sale on the Dark Net.
If you think ECI is going to protect you, better think again. Hackers have successfully penetrated some of the most sophisticated networks on the planet. ECI is child’s play to these professional criminals. Let’s also don’t forget that ECI is owned by bankers and has been for a very long time. Bankers don’t make software, bankers make money.
Who do you think is going to be held liable when that big customer of yours finds their data has been compromised and traces it back to you? It’s not hard to trace the source of data breaches any more. Many companies and individuals, including myself, are starting to add traceable identifiers to any personal or company contact info provided to others. This lets us know when our data has been compromised and by who.
The reason? Proving someone has been careless with your data, especially when they lie about it, is worth a lot of money. Home Depot has settled their data breach for $13 million dollars. It cost Target $39 million. And the list goes on. AvMed, $3.1 million. Stanford, $4.1 million. Sony, $15 million. LinkedIn, $1.25 million. Everyone is taking data security seriously today, and those that don’t are going to pay big time.
Whatever you do, don’t lie to your customers about it. Never tell customers you don’t share their data with third parties if you participate in one of these ECI/SPR data schemes. Because you ARE sharing sensitive customer data with third parties, and with NO restrictions – read the contract. If you lie and claim you don’t share sensitive customer data, when in fact you do, you can be held doubly liable when it all goes bad.
Don’t make the mistake of assuming that purchase history data is somehow exempt and not considered sensitive data. Of course it is sensitive data! Advertisers will pay top dollar for your buying habits so they can bombard you with targeted ads. This is considered by most as an invasion of privacy. Deliberately exposing your customers to this invasion without their permission is asking for trouble.
Then there is the competitive disadvantage of sharing your customer’s data. Would you approach your rival’s biggest customer, perhaps a bank or healthcare provider that would be especially sensitive to data security? Would you make it known to this large customer that their current supplier is exposing them to exploitation by providing their complete and detailed purchase history, unrestricted, to third parties? Would you also let this large customer know that their current supplier has likely lied to them regarding this data sharing?
What about government agencies? Do you have any government business? Do your government customers know you are sharing their buying habits and perhaps other sensitive data, unrestricted, with third parties? This one I would be especially worried about. Depending on the agency and terms, you could face hefty fines and even criminal charges if they find out you are not protecting their data.
Don’t buy the excuse that “we only sell your data aggregated.” While that could be true, you on the other hand, as the dealer, are providing complete details on ALL your customers’ purchase history to a third party without restrictions. Just because they say they aren’t selling your complete customer lists and detailed purchase history doesn’t change the fact that they have it. It also doesn’t change the fact that when that third party gets compromised, you will be the one held liable for the mishandling of your customers’ sensitive data.
While I understand that there is a value to some of the services being offered in exchange for your data, is the potential harm worth the value? This is the whole point of a Trojan horse. It’s pretty to look at, but inside is a deadly payload designed solely for the benefit of the hacker.