Roche Diagnostics – Anatomy of a serious data breach
On Wednesday 9 May 2007, the Roche Diagnostics marketing team must have been very happy. The very first edition of ‘Reach' had been sent to all the people who had registered for the Accu-Chek newsletter. Accu-Chek is a range of diabetic monitoring equipment for the patient's own use, and is well known and well respected, as is Roche Diagnostics. But, as the newsletter hit inboxes, they learned that things had gone very wrong indeed, and that highly confidential medical data about patients was haemorrhaging from their database.
The Data Breach
The details of the marketing disaster are already in the press, and are followed in detail by the blog ‘Marketing by Permission'. The facts are very simple:
- Data records for random individuals were visible to any recipient who clicked the ‘update my profile' link
- The data records included details of drug régimes the patient was on, such as warfarin
- Full personal details, including email and street addresses and phone numbers were revealed
These, especially the medical element, which is sensitive personal data as defined by the UK 's Data Protection Act 1998, are required by law to be kept securely and not transmitted to third parties without the express consent of the individual whose records they are.
That alone would have been enough to say “This was a total disaster”, but there was more to see that showed a very poor process for the approval of marketing campaigns:
- The transaction to update one's profile, assuming one could ever see one's own data, was not behind SSL technology. No padlock, no https:, no encryption.
- There was no login or password process to protect the data form inadvertent release
Such things are an act of pure naïvety, and such carelessness shows a limited understanding of the compliance needs of any marketing organisation. The final piece of this disastrous jigsaw was the refer a friend scheme.
Refer a Friend is a simple area to get right. There is a simple checklist of things to do in order to be both lawful and ethical:
- Make the email address (at least) of the referring friend a mandatory field
- Use the referring friend's email address in the body of the email sent, plus any other details they have provided
- Make the subject “<friend> wants you to see this” (or similar wording)
- Open the text with “<friend> has visited our site at <url> and filled out the form there to suggest you visited. If you do not recognise <friend> you may have received this as a mistyped email address. You do not need to take any action. We do not keep your data on any database because of this referral, and you have not been subscribed to anything at all, nor have your details been passed anywhere at all. In fact we keep no records of the matter. We were simply happy to sent this on <friend's> behalf.”
- Then put your marketing message, call to action or whatever you choose
- Then close with “You will hear nothing else from us as a result of this referral. You have not been added to any database and there is no need to ask for removal”
- Note the self imposed restrictions on data, and stick to them
- Send a copy to the referring person. The “cc” field is ideal.
- Optionally consider querying the referring person's domain and email address to determine if they are valid prior to sending the referral. Invalidity implies mischief. Do not send a referral from a mischief-maker
- If you expect high volume mischief, prior to implementation, deploy a CAPTCHA check as part of the referral process to minimise the potential for automated abuse
- Ensure the page where the friends are to be referred has a correct Fair Processing Notice (statement of what will happen to the data entered) to ensure that the referring friend can make an informed decision about submission or not
Roche Diagnostics has number 1 correct. It pre-fills the email address of the referring party. In fact the pretty much handled 1-3. The remainder they fall short on. Why does this matter?
- Personal data is not to be used willy nilly. The use of the data must be declared at the point where the data is captured, especially is there is any scope at all for confusion
- Brand protection is important. Taking immense care in areas like this shows that you value your own brand. And if you as the principal value the brand there is a chance that we, as customers will value it also.
The one very peculiar thing they did was to forward the email that they had sent, with the same ‘Update my Profile' link. Now, today, no-one can say what record that link was pointed at. It could have been anything form a blank record for a new subscriber to the record of the person who forwarded it. It was probably the random data that the newsletter allowed access to in this case, and we assume that whole system will be scrapped because of the security breach.
So we should add a 13th rule: Never, ever, forward a link to someone else's data record when referring a friend.
Proper Process to avoid embarrassment
The areas that appear to be absent within Roche Diagnostics are the following:
- Always involve the Chief Privacy Officer in the planning of all campaigns
- The Chief Marketing Officer bears responsibility for all campaigns. The campaign must be inspected and all links tested under the direct authority of the CMO and outside the team who owns the campaign. A physical signature is required that this has been done before the campaign may be issued
- The CIO is responsible for the delivery of and security of data to the CMO for all campaigns. The campaign must be checked under the direct authority of the CIO and a physical signature of approval and fitness or purpose is required before the campaign may be issued
- The CPO is responsible for the lawful and ethical use of personal data. Since data protection legislation is the criminal law, not the civil law, it is not only embarrassing if data escapes, but it is, potentially, an unlawful act. The CPO must be satisfied that the data is properly protected, that it is used only for the purpose for which it was collected and that it cannot escape. A physical signature to this effect is required before the campaign may be issued
Had this process been in place the probability of such an appalling breach of confidence would have been reduced to infinitesimally small. The campaign would have been a success, not a failure, and Roche would not have received the unwelcome adverse publicity. As it stands, while their brand us substantial enough to resist the damage, and their products are sufficiently distanced from their name to avoid damage by association, this campaign has probably cost them more in firefighting than it has brought them in revenues or loyalty.
RMS Titanic would not have sunk if there had been better attention to detail in the design of the tops of the bulkheads. Roche's newsletter needed better bulkheads