Avoiding your own Yahoo-style data breach

Since disclosing a couple weeks ago that they'd perhaps been a tad sloppy with security practices, Yahoo has been experiencing the inexorable squeeze of the vise by regulators and legislators, salivating at putting CEO Marissa Mayer under oath to explain why breaches that happened in 2014 are just getting disclosed now.

You're not in charge of 500 million email addresses, so that couldn't happen to you, right?


Maybe you're not as juicy a target as Yahoo. But if you're involved at all in getting customer input for your organization, chances are you've at some point passed around reasonably large lists of customer data. Names, phone numbers, emails, purchasing information. It's the kind of stuff you'd probably rather not have end up in the wrong hands, even if it's not passwords and bank account information.

I caught up with Phase 5 VP Christine Sorensen about the time of Yahoo's breach and she had some sensible advice for making sure your customer's information remains yours, and not the property of anyone willing to pay 3 bitcoins (~$1800) to the seller known as "peace-of-mind."

Steve: What's the risk to customer data in our field?

Christine: There are a couple focus points of risk. The most obvious is "sample" -- i.e. customer and/or prospect data. If you're in a company and getting ready to recruit folks for a research project, you probably have a lot of sample. You might call / email against that sample yourself, or you might send it to vendors in the course of recruiting.

That's where it gets dicey. In our field, sending sample by emailing an unencrypted file containing thousands of names and email addresses is a practice which probably qualifies as a not-so-good practice. Although most of the time nothing bad is going to happen, is there anyone out there who's never sent an email to the wrong person? That would be the most common not-so-good scenario. You can hope that's all that happens -- email to the wrong person. If so, you're not likely to get sent to testify before a legislative body, but it's embarrassing at the very least.

And beyond sending it to the wrong person, there's always the potential issue you have with the unencrypted file -- having it end up on a stolen laptop or some other such scenario. Unlikely, but you don't want that to be your data on the evening news.

Steve: What are the best practices you've seen for sending sample?

Christine: Our most fastidious and conservative customers will actually forbid any transmission of customer data across the internet, even encrypted. Instead we exchange a CD or USB key with the data.

A step back from that level is to use encrypted online file sharing services. As long as you're bothering to do this, it doesn't hurt to spend the little extra time needed to share passwords by phone call. Sending the link via email along with the password is probably not much better than sending the unencrypted file in the first place.

Steve: Are there data security risks outside of sample?

Christine: Yes, I meant to mention that earlier. The one that comes to mind is the video from focus groups. First of all there's the question of what you can use that video for, given the laws and practices in your country. We blogged about video privacy in China and Germany recently. Any reputable research firm will make it clear to respondents exactly what the video will be used for. If a video is given a wider audience than originally communicated to the respondents, that would be a breach of sorts -- more of a breach of trust that security, but a breach nonetheless.

Video needs to be secured as well. Usually that's done by the research vendor, who is contractually and ethically obligated to do so. Occasionally you get a snafu, though. A client told me once of a vendor who got angry over a payment dispute and posted their focus group research video online! Not a happy situation and I can't imagine it helped the vendor resolve the original issue. The only lesson I can take out of that is that you not only need to have good non-disclosures in place -- you need to make sure you're working with well-established, well-run and reputable firms. That applies to focus group facilities too, not just full service research firms.

Steve: What's the risk at focus group facilities?

Christine: The risk I've seen is with respondent contact information. Facilities will print out a list of the respondents for the observers, showing their responses to the screening questions. In itself, that's perfectly normal and expected. The problem arises when they print out respondent contact information along with those answers.

Now you might think that the observers on a project would realize that they are not supposed to contact respondents in the study. I heard a story, though, from a market researcher at a large company. One of her internal clients had gone to a focus group to observe. The client was very interested in one particular respondent. She saw the respondent's information on the sheet the facility had printed out, and decided to contact the person directly for some followup questions! This of course after telling the respondents that all their information would be kept confidential.

Needless to say the incident did not look good for the researcher or the company. It's not the kind of breach that's going to make the news, but it's a risk worth avoiding.

Written by Steve Hansen

Steve Hansen, MBA, is the President of Phase 5 US. With almost 2 decades of experience in client-side marketing strategy, market research, and product management, Steve brings a client’s mindset and drive for actionable results to each project. He has extensive experience in capturing the view “from the outside” with a special focus on product and service innovation. Steve is based in Minneapolis, Minnesota.