With the glaringly obvious rise in data compromises--Sony and Epsilon are two recent examples--consumers are no longer naively relying on previous assumptions about the security of their personal information. In fact, they’re becoming proactive: They’re asking questions at the register, making sales associates blush from Old Navy and Orvis to Stop & Shop to Safeway. They’re getting smart. Yet while security conversations continue to circulate around credit cards and compliance, breaches have not slowed. Rather, they have accelerated. And while credit cards and Social Security numbers are systematically encrypted, tokenized, or completely removed from enterprise environments, the hacker, as always, remains one step ahead, his sights set on an easier and bigger target: email.
So, believe it or not, the next knock could be on the marketer’s office door. Like the consumer harassing the 16-year-old about how to bag his milk and eggs, it’s high time to get smart and get engaged.
When I get involved in enterprise data security projects, one of the most common questions I am asked is whether the company will be able to continue to use the data being protected. Data to any organization is extremely valuable for market basket analysis, consumer loyalty programs, the weekly e-newsletter, etc. When used effectively, data can inherently provide a return on investment exceedingly more valuable than the initial purchase. A company’s livelihood can solely depend on how it leverages the sensitive data of its consumers, and, unfortunately, the same rings true for how that company stores and protects that data. No protection equates to big risks and even bigger potential financial fallout.
While your chief security officer, chief risk officer, or even chief compliance officer might have his sights set solely on the protection of the highest profile data, as we’ve read recently in the press, even lower profile data can pose a significant risk. Whether it’s a credit card number or email address that gets stolen, you will suffer the same fate and have to disclose the news to your customers (and the rest of the world). In most circumstances, this is where you would get involved, helping to soften and spin the potential fallout; however, I would encourage you to have the conversation with your security officer, long before any rogue and disgruntled employee decides to walk out your front door, a CD in his pocket and 125,000 email addresses about to hit the black market. After all, these are your email addresses, right? It’s about time to learn how to protect them.
Getting your CSO’s attention might seem challenging given the clear and distinct gap in your respective areas of expertise: You help grow the business and ensure your company’s name is top of mind for consumers and well-represented in the press; CSOs serve to protect the business and strive to keep your company’s name out of the press. How do you bridge the gap and get the conversation started? Here are five topics to get the discussion moving:
1. What are we doing with customer email addresses? The easiest way to break the ice at the water cooler is to talk about how customer email is being protected at your company. Email addresses are an essential part of marketing, and the data breaches at Epsilon and Sony have exposed the insufficient and sometimes lack of protection for this sensitive data. CSOs should be making protection of PII a priority at your company, and cooperation from marketers can ensure that your company isn’t in the next data breach headline.
2. After a consumer gives me his/her data, where does it go? Does your company store your data in servers on-site? Is it stored with a third party? A CSO will love nothing more for a marketer to understand a company’s data flow because it displays genuine interest in security.
3. Outsourcing data protection--good or bad idea? The recent data breaches showed how little people knew about third-party providers, including the CSOs who agreed to hand over company data. This conversation starter will lead to a deeper discussion about the security needs of your organization and whether current security methods are sufficient. If you decide to outsource your email marketing, then be sure that the third-party provider is transparent and uses best security technologies. Ask your CSO to meet directly with your outsourced marketing services organizations so the right questions are asked, and liability is agreed on.
4. If we outsource, how do we audit the security of these companies? The two unanswered questions of both the Epsilon and the Sony data breaches: Were both companies PCI-compliant, and, if so, when was their last audits? To steal a one-liner from Ulf Mattsson, my colleague and Protegrity CTO, “When you outsource your data security, you do not outsource liability.” Most third-party providers have limited liability in the event of a breach. Since it will ultimately be your name in the headline if your company’s data is ever breached, make sure your third-party provider employs best practices and is audited regularly.
5. If our data is breached, then what is our plan of action? With data security, the question you have to ask isn’t “if” but “when.” It’s always safer to operate under the assumption that your organization will be breached, and in the event that hackers tap into your servers, having an existing plan and protocols in place will help scale down FUD and calm your customer base. Know what type of information your company protects and where it’s protected, know how each data type was protected, and, most of all, know when your data was last audited. This information will not only help your company fend off media, but will also assuage angry customers and protect your brand.
Collecting sensitive data is a risky business, but it’s something that every company needs to operate. Establishing a strong relationship with your CSO today will ensure that your customer’s data is safe, so don’t be afraid to approach the security folks in your company.
Read Will Warrick's previous article, "Email Addresses Need A Security Champion."