Cybersecurity, Privacy and the 'Connected Store' in Canada

  Photo courtesy of Rebecca Minkoff

Photo courtesy of Rebecca Minkoff

By Ritchie Po

As e-commerce changes our shopping habits, the way we interact with retail changes in both virtual and brick-and-mortar shops. Big box retailers such as Best Buy are evolving to fit their customers’ needs, while media and entertainment outlets such as Indigo and HMV have also re-branded and changed strategy. Recently, Canadian Tire unveiled their plans to become “the most innovative retailer on the planet”, when CEO Michael Medline unveiled their plan to create digitally enhanced experiences at Sport Chek stores in the future. It makes business sense to engage the customer in person to ensure repeat business, beyond simply undercutting pricing until the profit margin vanishes. The increasing integration of digital commerce into the in-store experience naturally gives rise to the concept of the “connected store”, a topic on which Microsoft Retail Industry Leader Dave Rodgerson recently delivered at the Retail Council of Canada’s annual Retail West 2015 Conference in Vancouver.

  Dave Rodgerson

Dave Rodgerson

“In the future, the traditional, stationary POS with a cash drawer will be less common, being replaced with mobile technologies that allow the associate to serve the customer out on the selling floor, away from a cash wrap counter”, Rodgerson told Retail Insider. “All of this suggests wireless connectivity, not just to the retailer’s proprietary systems, but also to the payment processors. Likewise, consumers will be moving more to digital wallets. Each of these changes demand that a higher degree of security be in place to protect the integrity of the data that is being exchanged.”

Here’s how the connected store works. Imagine going into a women’s wear retailer where you bought a skirt a few weeks ago. You’ve returned looking for a top to go with that skirt. The connected store’s online database will be able to retrieve suggestions from their internal inventory and add them to your customer profile. This will be done by accessing your in-store profile, which would include your age range, purchase history, measurements, preferences and payment information. You can then decide if you want to try the item and, if you like it, there may be an opportunity for up-sell and cross-promotion on a matching blazer, belt or shoes. If the retailer has upcoming sales or other shopping, they can invite you to these events, creating an incentive to return and generate repeat business. Luxury retailer Rebecca Minkoff already has this in place in their Soho location, and it has met with great success. The connected store allows you to get a complete look without going to another retailer, making the transaction convenient and seamless. It also builds brand loyalty, as the customer will be made to feel she is given service equal to the white-glove VIP service typically reserved for luxury boutiques.

All of this means that you as the customer must opt into the retailer’s database and freely consent to give your information to the retailer to store for future purchases. With the amount of personal information stored in the database, the retailer must ensure that they diligently and consistently safeguard their clientele’s privacy.

Depending on where you live in Canada, there is a difference in the kind of sensitive data you give to your favourite store. For instance, “personal identification information” is defined in the Digital Privacy Act and public-sector privacy laws as any information that identifies you, such as your name, date of birth, social insurance number, credit card information, or other unique identifier. “Personal information” can be differentiated, as that includes other personal data that is not an identifier but may be considered private, such as your credit history, religion, marital status, sexual orientation and health information. In the retail world, this would include details in the connected store that helps a retailer obtain merchandise for you, such as your size, buying habits, the amount you’ve spent before, and other things you may not want others to know. The prudent retailer would understand that the information entrusted to them should enhance a customer’s shopping experience, and not be used as a “hard-sell” technique or for marketing purposes. Nothing turns off a consumer more than a pushy telemarketer or canvasser from a “partner” company targeting you off the customer list.

Diane J. Brisebois, President and CEO of Retail Council of Canada, speaks on Canadian Tire's 'Store of the Future'

All this personal information in the retailer’s hands means that they must retain and maintain robust IT security practices to safeguard customer information. After the sale is made, the retailer often stores the information to complete the transaction with the credit card company, and the ease of “one-click” shopping means that customers choose to keep credit card information in the database until he or she deletes the information.

“The payment process is just one element of a digital landscape that exists within a store system”, says Rodgerson. “As the store of the future becomes more interactive, the line between the in-store and on-line experience will become less distinct. It could well be that the communication between in-store signage and the consumers’ smart phones could be leveraged by criminal elements as a point of attack.”

“In recent years, the retail industry has seen some significant breaches, where the consumers’ data has been stolen, most notably, the attacks on Home Depot and TJ Maxx. In each of those instances, the attack was made possible through weaknesses that were found in the retailer’s POS system.”

Whatever the reason for privacy breach, the result to a retailer can include, depending on the size and nature of the breach, millions in dollars lost to crisis management, breach notification to privacy law regulators, and defending and settling class-action lawsuits that arise. It also leads to a loss in productivity, as retailers dedicate resources away from sales and product development towards risk mitigation and salvaging the brand name. Stock prices often drop as a result, and the public embarrassment would mean millions, particularly when a brand’s index falls and the court of public opinion weighs in mercilessly on social media. According to the 2015 World Economic Forum, both data fraud / theft and cyberattacks are listed in the top 10 risks of likelihood, right next to earthquakes, war and water crises. It’s no wonder that Cyberinsurance is forecast to triple in size into a $7.5 billion industry by the year 2020 according to Reuters.

There are numerous ways to mitigate risk in the connected store. “What we’re seeing in the way of CHIP/PIN encryption is a great start, but I can also imagine a time in the not too distant future that additional safeguards will need to be in place”, Rodgerson tells us. A retailer must put robust IT security practices into place, complete with a data recovery plan in the event of a data breach. Security architecture and risk assessments are also key factors in ensuring that the environment is assessed at a high level, with up-to-date standard operating procedures. Additionally, retailers must understand their regulatory and legal requirements, and implement continuing privacy education and audits into place. All software must be subject to a privacy impact assessment prior to being launched, and prepared with external audits in mind. Most retailers appoint both a Chief Information Officer as well as a Chief Privacy Officer, with the two roles collaborating frequently to ensure ongoing due diligence. Most CPOs also report to their in-house legal departments, and leverage training through human resources. Marketing creates brand awareness, but privacy education and cybersecurity awareness training are the cornerstones of keeping a customer’s trust.

The connected store is not a concept. It is in fact already in place at many retailers in a more nascent form, but will continue to grow. The key is to safeguard customer information and earn their enduring trust. A credit card breach is not only embarrassing, but would also lead to a drop in customer confidence and lower sales as a result. As the connected store enhances the shopping experience, the retailer’s IT security network and privacy protection programs must continually mature and grow in sophistication, as with their customer’s tastes.

Ritchie Po is a cybersecurity and data privacy lawyer in Vancouver, B.C. He received his J.D. from the University of Alberta in 2003, and was Called to the B.C. Bar in 2005. Ritchie is the co-chair of the Canadian Bar Association’s Freedom of Information & Privacy Law subsection, the course chair for the CBA’s 2015 Privacy Law Conference, and head of the CBA’s Special Committee to Review the Freedom of Information & Protection of Privacy Act. He is also a style columnist whose column “Knotwerk” features regularly on The Closet YVR, and is a Contributing Editor for Retail Insider

Canadian Retail News From Around The Web: October 29, 2015