FASHION + TECH

Fashion+Tech+Security: Cyber Beware

by Nicole Reader21 JULY 2020

The University of Maryland reports that on average hackers attack every 39 seconds, affecting 1 in 3 Americans each year (“15 Alarming Cyber Security Facts and Stats,” June 20, 2020, Devon Milkovich). The first quarter of 2020 was one of the worst on record in terms of consumer data breaches, with over 8 billion records exposed. (RiskBased Security, 2020 Q1 Data Breach Overview).

We’ve seen over the years that fashion brands are no exception to falling victim to cybercrime, including many large brands and retailers such as Macy’s, Adidas and Poshmark, having millions of their consumers’ personal data compromised. Fashion platform Poshmark, with about 50 million customers, last year experienced the theft of user information including not just name, address, and login credentials but also clothing size data. (“Important Security Notice from Poshmark,” blog.poshmark.com, 1 August 2019).

As the fashion industry continues to embrace technology at a rapid pace, to attract customers and enhance their IT infrastructure for operational efficiencies, it's essential they do so without compromising their security or their customers. Whether it is creating virtual runway shows, digitizing a collection for a campaign, testing out a virtual try-on system or implementing a new inventory management system, investing in any new retail tech innovations or working with outside contractors requires that a fashion brand trusts the technology partner with valuable information. Such information may consist of a brand’s design files and patterns for unreleased collections, pricing and inventory data, confidential customer data or photorealistic 3D CGI representations of top modeling talent. Virtual try-on (VTO) systems are of particular cybersecurity concern to brands, as they tend to capture very detailed and confidential data of customers' measurements and/or images and may also capture sales activity and analytics of business operations.

Fashion brands need to be aware of the potential liabilities they could be indirectly faced with if they choose retail tech partners or outside contractors who don’t have sufficient protection and threat detection systems and procedures in place, or if they are ill-equipped for handling security data breaches, because it can expose fashion brands to cyber threats. Insider threats such as social engineering and back-door application breaches, where outside software being used hasn’t been adequately written or the network isn’t architected securely, are the three most common cybersecurity breaches among stolen login credentials, Malware and permission settings of employees. Careful consideration regarding data protection policies and practices of technology providers are necessities before selecting partners who have access to such important information. The questions each brand should ask themselves are:

• 1. What are our ‘crown jewels’ – most important assets or sensitive data that we need to protect?
• 2. Are we taking the necessary precautions to safeguard our clients’ data?
• 3. Privileged access to transverse data through the network – can we reduce the risk of compromise -who has access and why? Do any of our technology partners or contractors have access to those assets?
• 4. How are we protecting those assets? Have we trained our employees on potential threats?
• 5. How are our partners protecting those assets? What are their policies, procedures and systems?
• 6. Is protecting our assets and our clients’ data our technology partners' top priority?

VTO's & Sensitivity of Data

Shopper discomfort with fitting rooms is what has brought attention to the topic of virtual try-on (VTO’s) systems– a survey from First Insight reported 65% of women and 54% of men do not feel safe trying on clothes in fitting rooms in a post-COVID-19 world – as well as regulations or store policies making the operation of fitting rooms impractical or uneconomical. VTO solutions are now being considered by many brands and retailers in order to give buyers the same fitting confidence that comes from physical try-on but in a “contactless” process. VTO's can increase consumer confidence in fit and thus reducing returns and exchanges will increase profits and reduce the environmental footprint of the industry.

However, as the popularity of VTO’s rise, so do security concerns. The post-pandemic outbreak has finally attracted the attention of influential press and industry analysts, with The Washington Post publishing a feature article last week. (Abha Bhattarai, “Virtual Try-Ons Are Replacing Fitting Rooms During The Pandemic,” The Washington Post, 9 July 2020).

The seriousness of data breaches and the problem of sensitive data became evident to me early on in our development stages of the Modern Mirror Avant-Garde Fitting System (AFS), after more and more headlines kept appearing on cyberattacks on large entities. Identifying the sensitive data ‘crown jewels’ we would have in our possession meant it was essential that while architecting our system design we were also architecting how to safeguard brand and client data in parallel. Protecting the brands, their clients and ourselves should not and would not be an afterthought. All data must be treated with the same level of importance as designing and developing the entire system.

In my pursuit of trying to understand the magnitude of cyberattacks and how best to protect our organization and our clients, I had to first learn from white hat hackers and cybersecurity companies how systems and networks could be infiltrated and the potential vulnerabilities, the role social engineering plays, how human error is one of the leading causes of the attacks and the phrase “it’s not a matter of IF …. it’s a matter of WHEN.”

While there were a few pioneers in the VTO space who had been working to publicize the sensitivity of VTO data and the need for careful handling of it, it was still an area that wasn’t given much attention to until recently when major publications, such as the Washington Post, started bringing more awareness to the subject matter.

What I thought was just part of my job as CEO, learning how to best protect the Company even at a start-up phase, intrigued many cybersecurity industry influencers, resulting in having me partake in panel discussions, workshops and presentations relating to the importance of cybersecurity at any stage of an organization. Bradley Barth from SC Media reported on a keynote presentation I had delivered stating, “usually, it’s up to a company’s IT leaders to convince the CEO that investment in security and privacy technology is necessary. But at SC Congress Toronto yesterday, one CEO of an SMB said it was she who informed her corporate team that they could do more. Somewhere, a frustrated IT security executive wishes they worked for Nicole Reader.” (Bradley Barth, “Modern Mirror CEO reflects on security and privacy,” scmagazine.com, June 3, 2016.)

“Somewhere, a frustrated IT
security executive wishes
they worked for Nicole
Reader.”

In a typical VTO system, multiple full-body images of the customer, in either form-fitting clothing or undergarments, are captured by a mobile camera or 3D body scanner. A range of measurements are extracted from these images, leading to fit recommendations or made-to-measure garments. In more advanced systems like the Modern Mirror’s AFS a photorealistic and dynamic animated model of the customer’s own body can be shown dressed in 3D digital models of garments in recommended sizing. Furthermore, detailed analytics can be generated about customers’ body shapes, fit and style preferences, interactions, and purchasing behaviors.

The purchasing history and customer preference data collected are similar to what e-commerce sites have been collecting about consumers for over two decades. However, the high-fidelity body data of the customer that can create images and videos indistinguishable from the real photos and videos, is what adds a whole new set of risks and opportunities for abuse if the datasets are not managed with exceptional care.

In order for such technologies to be deployed and adopted successfully by a brand's clients, there needs to be a significant level of trust between the client and the brand, that the client’s personal data will not be exploited. Analyst firms, such as Ernst&Young, believe that establishing consumer trust is essential in convincing post-pandemic shoppers to return to physical retail stores, and authenticity and transparency are key brand attributes that consumers are looking for now. (Kathy Gramling, “In a Post-Pandemic World, Is Trust the New Consumer Currency?” Sourcing Journal, 15 July 2020)

The amount of information that fashion brands and retailers are able to accumulate about their customers has already attracted attention (George Arnett, “What Fashion Retailers Know About You,” Vogue Business, 23 January 2020). Over the years, security analysts have expressed concern that apps that operate on selfie pictures taken in the user’s home capture not only the user’s image but also the surrounding environment and in some cases location as well. This type of information can be analyzed to extract even more insights on a user’s lifestyle and habits, a process that has already been occurring with social media platforms. (Douglas MacMillan and Elizabeth Dwoskin, “Smile! Marketing Firms Are Mining Your Selfies,” The Wall Street Journal, 9 Oct. 2014).

Proper protection of personal data and openness about its use are obligatory when maintaining trust. Luxury Institute CEO Milton Pedraza observed, “It stands to reason that [consumers] should overwhelmingly trust luxury brands with their data far more than mass market brands, but this is not yet the case. In a digitized world where privileged access to personal data for advanced personalization and deeper relationship building will be absolutely critical, luxury brands need to step up their trust quotient far above commodity mass market brands immediately.” (Luxury Institute, “Luxury Brands Missing Big Opportunity In Building Trust With Affluent Clients On Relationship Building And Data Sharing,” 19 May 2020)

VTO Data Equivalent to Medical Data

Body images and/or extracted measurements from consumers are the foundation and sole purpose of why VTO systems are used. This type of information is regarded as “special category” biometric data under General Data Protection Regulation (GDPR) standards in the EU, where more stringent protection standards apply, and should be managed in a similar manner as is done with imagery to the healthcare industry.

The healthcare industry has developed regulations and best practices when managing and protecting highly sensitive patient data and these required in the US to adhere to data security standards for personally identifiable data, specified by the Health Insurance Portability and Accountability Act (HIPAA). In the EU, the 2018 GDPR addresses “sensitive personal data” and such compliance is regarded as a gold standard that also satisfies the requirements in other regions. Requirements of both HIPAA and GDPR have resulted in development of widely accepted practices and cybersecurity solutions for protecting body imaging information.

Several principles underlie regulations around the world regarding collection and use of medical data, and are equally applicable to personal data from fashion technology solutions:

• Explicit consent must be given before collection of the data, and consent may be withdrawn at any time (and the data deleted)
• The organization collecting the data must be transparent about what data is collected, what purposes it will be used for, and who will have access to it
• The data collected must be no more than necessary for carrying out the stated
• The data must not be used for other purposes beyond the stated purpose
• The data must be secured against unauthorized release or abuses

Building a Fortress

A well-rounded security architecture is structured with a well-known framework that is based upon existing principles and guidelines within the cybersecurity industry consisting of the fundamental principles for managing risk and mitigating losses:

IDENTIFYING: the assets (‘crown jewels’) of the organization, the accessibility of the assets, understanding the risk exposure of security threats and putting in policies and procedures for managing such risks.

PROTECTION: the implementation of data protection systems to mitigate possible security data breaches and training teams on how to safeguard their personal and company information from outside attacks.

DETECTION: the implementation of monitoring solutions that will detect if there has been a security breach or alarming behaviour in order to mitigate risks.

RESPONSE: a response plan consists of the policies and procedures when reacting to a security breach or cyberthreat.

RECOVER: the recovery strategy indicates how your organization will restore your systems or assets that have been breached.

Cloud services are ideal from a cost and data processing perspective, however it's important to recognize that there are also risks associated with storing highly sensitive data in the cloud, even on large providers platforms such as Amazon AWS. Even though there are security fortresses built around such platforms, we’ve seen large companies still get attacked, and as we all know no one is immune to cyber threats. It’s not a matter of if it’s going to happen it’s a matter of when it will.

For maximum protection at Modern Mirror we have taken a multi-pronged approach to protecting sensitive data, to ensure maximum protection. Opting to store client and brand data in highly encrypted formats on hardware, which is under our direct control, to tightly managing access levels of sensitive data, and determining when and if it's necessary to store or transport the data on cloud platforms, ensuring stringent policies and procedures in order to mitigate associated risks. Datasets that belong to individual brands, are stored in segmented databases and access is restricted only to designated personnel who are directly working with the brands.

A multi-step process is required when safeguarding clients’ 3D body imaging data due to the severe sensitivity of data. 3D body imaging data that doesn’t contain metadata information cannot be directly linked to an individual person and securing the resolution of the identifiers connecting the images and data to client profiles, which are stored in a separate encrypted database, assists in enhancing privacy protection and mitigating potential threats.

Modern Mirror’s customer-facing business model also centers on a unique-in-the-industry approach to data ownership and control. Customers who are imaged by the Avant-Garde Fitting System (AFS) retain ownership of their data, have control over how it is shared and used, and when it should be deleted. When aggregated analytics information is provided to brands about their customer bases the datasets are “de-identified” using the same processes that HIPAA-compliant organizations use when aggregating data for medical studies.

Across the globe fashion brands are in the recovery and rebuilding phase from the effects of the pandemic, and as environmental sustainability challenges continue to be a focal point for brands, fashion tech solutions such as virtual try-on (VTO) systems, become not just nice-to-haves, but necessities. Concerns about the potential security risks of VTO systems have been observes and will continue to be top-of-mind. However, by designing a comprehensive cybersecurity architecture and implementation plan that takes into account best practices and regulatory requirements, a VTO technology partner can address the concerns of data breaches. Fashion tech providers and/or digital contractors must always hold to best practices and transparency when handling and sensitive data.