Protecting email deliverability before and after a data breach
The financial impact of a data breach continues to climb for businesses. IBM’s 2018 Cost of a Data Breach Study placed the average total cost of a data breach at $3.86 million, an increase of more than six percent compared to 2017. Every stolen or lost record costs a company $148, putting a hefty price tag on breaches of any size.
Beyond immediate expenses, the required email notification to customers in the database can negatively contribute to a company’s ability to recover from the breach. FTC regulations require the company to contact every customer in their database via email or another method, such as direct mail. If there is a spike in undeliverable emails, mailbox providers (MBPs) will notice the spike, negatively impacting the company’s email deliverability. Thankfully, this impact can be reduced by minimizing unnecessary data before a potential breach and acting immediately after recognizing the breach.
Before a Breach
- Data should be timely: There are no set rules for data retention, but many companies store data much longer than needed, putting them in a vulnerable state. In 2018, a data breach revealed the HIV status of more than 14,000 people. More than 60 percent of records were diagnosed before December 2011, and all records were diagnosed before January 2013. A company should consider how they use stored data, or if they use it at all. Unused data should be deleted after a reasonable amount of time, and valuable data should be anonymized if possible.
- Data should be relevant and protected: In September 2018, Marriott learned of a data breach leaving the passport information of more than five million guests vulnerable. As a result, Marriott will pay for replacement costs for those affected, costing Marriott $110 per replacement. Many companies like Marriott hold on to irrelevant data or don’t take the proper measures to protect relevant data.
- Data should be safely accessible and swiftly transferrable: Employee turnover is a threat to data, with almost 70 percent of companies suffering data loss due to turnover. Many companies do not delete a former employee’s data, and others do not remove their own company data from employee-owned devices before departure. The knowledge gap between the former and new employee can also lead to vulnerabilities. A new employee may not know about existing sensitive data, leaving a window open for anyone to access.
Reducing Deliverability Impact After a Breach
The FTC may require a company to disclose a breach to all potentially affected, but with proper preparation, a company will be in the best position possible to reduce damage to email deliverability.
- Notify email and mailbox providers: Keeping a company’s email reputation intact after a breach starts with notifying the company’s email service provider (ESP). As ESP may be able to warn a MBP before sending notifications to unresponsive and inactive accounts. This warning will help the MBP understand why the company is engaging in what’s normally perceived as poor sender behavior. A company can also contact its ESP to notify the email community as a whole, and the ESP may be able to offer an alternate IP.
- Maintain consistent messaging: After notifying MBPs and ESPs, transparency and consistency in messaging is key. Customers will be suspicious of any message coming from the company, so the public FAQ should include messaging giving customers an idea of how they will be contacted. This notification should be from a subdomain (sub.250ok.com) instead of a cousin domain (cousin-250ok.com). It is also important for messages to follow brand guidelines to give customers assurance in the legitimacy of notifications.
- Protect your domain: Double-check SPF and DKIM records before sending a large amount of data. The company should ensure its DKIM keys are properly configured and SPF is set to ~all or -all. DMARC records should also be set to p=quarantine or p=reject to prevent copycats posing as the company’s brand.
Unfortunately, breaches are becoming the norm for businesses, but companies aren’t helpless. Caution is key for email distribution and data retention, and the ultimate goal is to protect customers and their information. By placing value on their data and wisely maintaining email lists, a company can mitigate the long-term impact of a data breach on its email deliverability.
Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matthew is 250ok’s Director of Privacy, and he is currently the Vice Chair of the Email Experience Council, after serving for several years as the Chair of their Advocacy Subcommittee.