Epsilon’s Email Breach Should Impact Future SLAs

Sunday, April 10, 2011

Allan Pratt, MBA


Most tech experts have chimed in about the Epsilon email breach that took place the end of March. While it’s too bad that the public was not informed until a few days following the breach, at least, we were informed by the mainstream media.

But doesn’t it seem odd that we received notification of the security breach via email from Epsilon’s clients after the mainstream media reported the breach?

I received notification about the breach from Best Buy, McKinsey & Company, Marriott, and Disney Destinations. Two of the emails I received were signed by the company. McKinsey’s email was signed by McKinsey Quarterly’s Senior Managing Editor, Rick Kirkland, but the generic info@mckinseyquarterly.com was included for my use if I had questions.

The best email by far was from Best Buy for two reasons: first, it was signed by a real person, Barry Judge, Executive VP and Chief Marketing Officer; and second, it provided a link to a page on the Geek Squad website with “Six Steps to Keeping Your Data Safe.”

Yes, this was from a tech company, but still, their marketing team was alert to the situation and quick to provide information that would be helpful to and appreciated by consumers.

Marriott provided a link to a landing page on its site that provided the info that should have appeared in the email – but it looks like the page was just an extension of the corporate privacy policy.

In my mind, the discussion is focusing on the wrong thing. Sure, the security breach was bad, but why did all of the approximately 50 companies who hired Epsilon need Epsilon in the first place?

Customers had placed their trust in companies from Capital One to Ritz-Carlton to Verizon to Walgreens, among others, and these companies just handed over all of their customer data to Epsilon.

What guarantees were given by Epsilon to their clients for data protection? While nothing can be guaranteed, a company with this many clients must show its clients that it has procedures in place for intruder prevention and detection.

What were the service level agreements (SLAs), and did they outline precautions that Epsilon would take to prevent such incursions? If none of this information was included in the SLAs, perhaps, it’s time for data-driven companies to include their information security strategies in SLAs.

So, what is the next step? You could terminate your email address and create a new one – which will definitely cause a headache or two. Or, you could change the password for your email account.

Or, perhaps, this situation will give you incentive to click “unsubscribe” on those hundreds of emails you signed up for a long time ago and instead of reading them, you just delete them.

So you can clean out your email box and, at the same time, evaluate the value of the emails you receive. If this happens, maybe, there was something positive that resulted from the Epsilon email security breach after all.

Possibly Related Articles:
Service Provider
SLAs Vendor Management Managed Services Third Party Epsilon Service Level Agreement
Post Rating I Like this!
Christine Stagnetto-Sarmiento Hi Allan:

The breach occurred on March, and you stated, we received e-mails from banks, credit cards, and so forth. My concern is: who gives the information? I think that it is an organized criminal group, from the insider and outsider. I changed passwords from all of them, but breaches, sometimes cannot detect with the use of some tools.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked