A joint investigation by the Canadian and Australian governments has released its findings on the 2015 Ashley Madison data breach. The resulting report has been released along with another document with takeaways for all organizations.
I’m still working my way through both documents, but there are some really good bits in there. In particular, though, this part of the takeaways document caught my attention:
Takeaways — Accuracy
The level of accuracy required is impacted by the foreseeable consequences of inaccuracy, and should also consider interests of non-users. This investigation looked at ALM’s practice of requiring, but not verifying, email addresses from registrants. While this lack of email address verification could afford individuals the ability to deny association with Ashley Madison’s services, this approach creates unnecessary reputational risks in the lives of non-users — allowing, for instance, the creation of a potentially reputation-damaging fake profile for an email address owner. The requirement to maintain accuracy must consider the interests of all individuals about whom information might be collected, including non-users.
Several people I know can attest to the fact that many online companies play fast and loose with data accuracy. They are continually getting mail for other people — usually with the same name, but not always. And while that isn’t always something that rises to the level of consideration that we see here with Ashley Madison, where reputations and relationships can be ruined, that doesn’t mean that these unwilling recipients should be receiving marketing and other — often sensitive — missives intended for other people. Sometimes it’s a bank statement, sometimes it’s a vacation itinerary, other times, it’s doctor’s appointment confirmation or an email giving lab results.
Data accuracy should be a driving concern for marketers. Instead, when suggesting that clients clean up data and find ways to validate it, I hear objections about sign-up velocity and the ability to unsubscribe if an erroneous sign-up happens.
While I haven’t blogged about the issue, the recent spate of Spamhaus listings blogged about by Laura Atkins (among others), where listings are occurring because individual lists are being used in a mass aggregate form to deny mail service to certain individuals should show us that there is, in fact, a practical level at which the “ability to unsubscribe” becomes the email equivalent to a “death by a 1000 paper cuts.” In these instances, sign-up velocity and the ability to unsubscribe from individual lists has to take a backseat to improving data accuracy.
I predict, though, that findings like this one from not one, but two OECD members will only embolden blocklist operators, including Spamhaus, to tighten their standards when it comes to mailers handling sensitive data. I foresee a time when allowing inaccurate data to be used to send sensitive information (financial statements, medical information, and the like) which then lands in spamtraps will be grounds for immediate listings.
The truth here is that the owner of the mailbox doesn’t want the mail. But, just as importantly, the data subject who is not the mailbox owner his just as great of an interest in their private data not being shared with other, 3rd parties. And that includes if the fault is ultimately the data subject’s for giving the wrong address.
We’re coming to a time when it will be incumbent upon mail senders — especially those handling sensitive materials — to be as certain as possible that the person behind the email address is the person who entered the data onto the form. If that certainty cannot be achieved, then penalties will surely follow.