Security breach shakes  consumer confidence

Usually when security is breached on sites like the Air Miles one – sites that specialize in the collection of personal data – two things happen.

First IT managers and webmasters stop and reappraise their on-line integrity, and second, consumers’ tongues start to wag with concerns about privacy, data collection and the security of on-line transactions.

According to John Wright, The Loyalty Group’s vice-president and general manager, Air Miles business program, his organization didn’t see any signs of the second.

He said The Loyalty Group received very few calls, and that once the site was back up people resumed enrolling on-line. Air Miles partner organizations such as Shell Canada Products Ltd. also experienced a similar lack of concern. Donna Kraus-Hagerman, manager of public affairs for Shell, stated that the Calgary-based company “hasn’t had any calls into our customer lines” regarding the problem.

Still, The Loyalty Group decided to personally address its collectors. To that end, Wright said the organization contacted, either by phone, e-mail or letter, each of the 30,000 or so people whose names were in the exposed file.

When asked how the security breach will affect general consumer confidence about on-line transactions, Wright replied that isn’t what he is focusing on.

“For us I’m not so worried about the broad market discussion. I’m more concerned about making sure people have confidence dealing with us.”

Others involved with e-business and e-commerce ventures however, say that the attention that the Air Miles site has received will affect public perception.

“Any time you get something large scale like this you get a shake-up in consumer confidence,” said Marc Rogers, a consultant with SHL Systemhouse in Winnipeg. “It adds to the fear of personal data being exposed, especially when there is not really an understanding of the technology.”

Rogers added that while there can be problems caused by companies going public with word that their security has been breached, not doing so can be worse.

“It is important to go public — to let other companies know what happened to you. Not to do that, to have that type of mentality, lets the hacker perform multiple attacks across whole industries using similar methods. Even if companies had an organization working in the background with them (that they could report security problems to) that would help.”

Cal Rosen, principal consultant in the market and customer management practice at PricewaterhouseCoopers in Toronto, noted that any company whose security problems have been publicized needs to be open and honest.

“They need to admit, ‘We made a mistake.’ Then they need to say, ‘Here are the safeguards we’ve put in place.’ I think that’s highly necessary. They have to reclaim that trust that was lost. At least as a consumer, I would hope this was done.”

Creating consumer trust in Web sites is something Ernst & Young is working on.

Cam Johnston, principal in the information security services practice at Ernst & Young in Toronto, said that seals of approval from reputable agencies, such as the one that his firm awarded the Air Miles site, are not treated lightly.

“The process is similar to an (official) audit,” Johnston said. He explained that there are official procedures, such as the Certified Public Accountants WebTrust certification, which need to be followed.

“WebTrust rules stipulate that users of the seal have to abide by prescribed practices and business methods. They have to earn those seals. Auditors can lose their jobs, their homes and their professional designations if they don’t faithfully follow the regulations.”

Johnston explained that the Ernst & Young seal must be accompanied by two documents: one from the auditor stating when the seal was granted, what conditions were examined and what the time period of the audit was, and the second from the site owner, describing the management’s assurance to uphold security and maintaining best business practices.

Johnston suggested that consumers using a site check the date of the audit as a means of ensuring that security measures are up to date.