Craig Spiezle, president of the Online Trust Alliance, argues retailers need to redouble their efforts at building and sustaining consumer trust.
Retailers like to trumpet the value of the customer data they have amassed, including shopper preferences, browsing history, Facebook Likes and other social data. For many, obtaining such data is a measure of consumer "trust," yet many consumers have little awareness of the data being collected, used and shared with unaffiliated third parties. With a 117% increase in the number of data loss incidents tracked in 2012 from 2011, it appears retailers and other companies may be under-investing in providing transparency, securing consumers' data and protecting their online reputations.
These incidents not only impact consumer confidence, but also lead to an increase in online fraud, account takeovers and identity theft. In 2012 these incidents cost businesses more than $8.1 billion, according to the Open Security Foundation, an information security nonprofit organization.
Over the past four years, the Online Trust Alliance (OTA) conducted Online Trust Honor Roll audits. The 2013 Online Trust Honor Roll, which will be released at the 2013 Internet Retailer Conference & Exhibition (IRCE), examines the brand protection, security and privacy protection practices of more than 750 web sites, including those maintained by merchants in the Internet Retailer Top 500 Guide. With publicly disclosed criteria, sites were audited and analyzed based on the adoption of industry-accepted best practices, open standards and privacy policies and practices that comply with industry norms—criteria and best practices advocated by the Federal Trade Commission, U.S Department of Commerce and National Institute of Standards and Technology.
This year's audit was coupled with dozens of interviews with executives about the virtues of trust, privacy and data security. It was striking how these business leaders believe their organizations are committed to data security, privacy and best practices, yet when pressed to detail their investments, few could articulate specifics, while others defended why those best practices do not apply to them.
The 2013 audit revealed that 24.4% (122) of Top 500 retailers made the Honor Roll, obtaining a score of 80% or better. The top 10-scoring e-retailers will be recognized at IRCE on June 6 for their commitment to protecting their customers, enhancing online trust and support of self-regulation.
While we should commend the e-commerce Honor Roll recipients for their efforts, 75.6% percent of Top 500 retailers did not make the grade. A significant concern is the number of retailers receiving failing grades (below 55%) in one or more of the three major categories measured:
Domain, brand and consumer protection: 22% failed to takes steps to prevent e-mail or domain spoofing and spear phishing—which is when criminals send fake e-mails disguised as personalized messages from a bank or financial institution to try to get consumers to reveal personal data or unintentionally install malware. These are leading causes of account takeovers and identity theft.
Site, Server & Infrastructure Security: 11% of sites had visible vulnerabilities exposing data to hackers.
Data Protection & Privacy: 35% did not have compliant privacy policies and data collection practices.
While these retailers' systems and policies may have once been compliant and secure, the report underscores the need for merchants to continuously review their sites to ensure they have adapted to the rapidly evolving security and privacy landscape. Faced with rapid innovation and the proliferation of data about individual consumers, yesterday's norms and narrowly focused baseline compliance programs are no longer adequate.
"Trust is one thing that changes everything," writes Stephen M.R. Covey in the book "Speed of Trust." Mr. Covey is spot on. Trust takes time to build and only seconds to lose. Zappos.com CEO Tony Hsieh stated it best after hackers accessed the e-retailer's database, exposing 24 million customers' records last year: "We've spent over 12 years building our reputation, brand and trust with our customers. It's painful to see us take so many steps back due to a single incident." Zappos, a subsidiary of Amazon.com Inc., has since made significant efforts, demonstrating an increased commitment to consumer protection, and has earned a slot on the 2013 Honor Roll.
Retailers need to make moving from compliance to stewardship a key business objective. While meeting compliance requirements may satisfy legal and fiduciary responsibilities, it is merely a baseline and may not increase a brand's value proposition. Not unlike customer return privileges heralded by the likes of Nordstrom Inc., retailers need to embrace the concept of data stewardship: the business ethics, practices and sustainable management of the data entrusted to them, while meeting consumer expectations.
In developing your trust practices and stewardship plans, think carefully about your customer and don't assume all customer segments view their privacy the same. For instance, the Facebook generation (Gen Z) is more open to sharing personal information online, while baby boomers are more privacy-conscious and selective with whom they share. While Gen Z may be your primary target audience based on traffic, their casual privacy attitudes should not overshadow the views of other market segments or justify your strategy. It is essential to recognize that privacy attitudes evolve. Teens and college students' online postings may reflect an indifference to privacy but that attitude can quickly change as they enter the workforce, have families and define their careers.
Mindful retailers shouldn't wait for public pressure or regulations that could inhibit innovation and undermine the value of data-driven marketing. They should align privacy protection and security best practices in tandem with the rapid pace of change. In the absence of regard for consumers, we are now facing an arms race, with browsers and other solutions increasingly blocking data collection. As witnessed in the Do Not Track debate, privacy advocates and trade organizations are failing to find common ground. These stakeholders need to look beyond their short-term self-interests and understand the long-term consumer impact and importance of stewardship. Left unchecked we risk an erosion of trust, which will undermine our long-term goals, hamper click-through rates and minimize user engagement.
While customer service and shipping polices have historically been part of a brand's value proposition, retailers would be well-advised to highlight security and privacy as part of their brand promise. Doing so can increase consumers' confidence and reduce the threat of them abandoning their shopping carts.