Marketing and Data Security

Transcription

1 WHITE PAPER APRIL 2011 Best Practices in Marketing Marketing and Data Security Important guidelines for how brands can protect their customers data

2 PUBLISHED BY US Headquarters StrongMail Systems, Inc Island Drive, Suite 200 Redwood City, CA P: F: UK Headquarters StrongMail Systems UK Ltd. St. Clements House Clements Lane London EC4N 7AE United Kingdom P: +44 (0) APAC Headquarters XCOM Media Unit 1 15 Lamington Street New Farm Queensland 4005 Australia P: Copyright 2011 StrongMail Systems, Inc. All rights reserved. No part of the contents of this publication may be reproduced or transmitted in any form or by any means without the written permission of StrongMail Systems, Inc. STRONGMAIL and the STRONGMAIL logo are registered trademarks in the United States, other countries or both. All Rights Reserved. StrongMail Systems UK, Ltd is a company registered in England and Wales at 5 New Street Square, London EC4A 3TW. Reg. No VAT # GB Trading Address: St. Clements House, Clements Lane, London EC4N 7AE.

3 MARKETING AND DATA SECURITY marketers constantly discuss concepts like relevance, lifetime value, dynamic content, automation and delivery. But what about the more mundane topics like data security? In the last few months, consumers have received a number of notifications explaining that security failures have compromised addresses and provided computer hackers with potential access to digital identities. It is critical for marketers to take a close look at how data security, and the related trust between brand and subscriber, is prioritized within program management. When brands are asked about the importance of data security, all will explain how serious they take protecting subscribers personally identifiable information (PII). However, many seem to place security below the line when looking at their program investment. Financial services firms seem to be the only exception to this rule. Underestimating the importance of data security within the channel can be a huge liability. Now more than ever, marketers must establish a level of trust with subscribers. alternatives (the social web, mobile applications and communities) are rampant, and consumers are constantly reconsidering the best way to interact with brands. marketers must also realize that most sophisticated programs use a material amount of PII in campaign execution. PII is defined as information that can be used to uniquely identify, contact, or locate a single person or that can be used with other sources to uniquely identify a single individual. address alone is categorized as a digital identifier and considered PII. Add to that everything from browse behavior to transaction history, and an database can quickly become home to significant amounts of PII. Given the amount of press on the topic in recent months, it is critical for marketers to take a close look at how data security, and the related trust between brand and subscriber, is prioritized within program management. FOUR STEPS TO BETTER DATA SECURITY marketers (and the companies that support them) should not panic at recent security issues facing the industry. In general, marketers have done a good job protecting the subscription and preference data that forms the basis of the permission marketing channel. That said, with the renewed scrutiny that is the inevitable result of the April 2011 Epsilon security breach involving millions of customer records, there are a few things that all brands should consider immediately. 3 Marketing and Data Security

4 1. Risk Assessment. Like anything else, investment in security around data should be based on the corresponding risks around data loss and illegal access. All brands, regardless of size, risk consumer mistrust and list attrition in the event of a data loss. This means that brands relying on for top-line revenue must take data security seriously. In addition, large brands often find themselves susceptible to litigation as consumers and activists groups seek to take advantage of deep pockets via the courts. These companies should accurately assess their risk exposure and take extra precautions against data vulnerability. Finally, there are serious legal consequences to specific industries like financial services if PII is not kept safe. Companies in these industries should be extremely careful and in some cases consider insourcing as the most appropriate option. Underestimating the importance of data security within the channel can be a huge liability. 2. Ask Information Technology for an Audit. Most large firms in the United States and Europe take data security seriously. In fact, there are often individuals and entire departments tasked with keeping consumer information secure. These teams tend to focus on internal systems that are deployed within the corporation s firewalls. Any new service or solution deployed internally for the business should be approved by the company s IT security teams. This is a double-edged sword. The additional scrutiny results in more secure data but the price of increased security can be delayed time to market. This issue becomes very complex in the marketing space as many brands leverage Software-as-a-Service (SaaS) offerings to create, deploy and track communications. marketing owners within a brand should invite their internal IT teams to meet with their service providers and apply the same strict guidelines to the ESP as they do to internally deployed technologies. To put a fine point on it, according to a survey conducted by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) 1, 70% of compliance professionals feel that their organizations are well or very well prepared to fend off malicious hacker attacks; however, their confidence wanes significantly when assessing other data breach threats. For example, 41% felt it was very or somewhat likely that an accidental breach could occur by third-party vendors. Internal IT teams can help the marketer and their vendors feel more secure. 3. Get a Third-Party Audit. For those brands where compliance or other factors require a serious commitment to data security, they should consider investing in Penetration testing (PEN testing) via third-party solution providers. Consulting firms like ISEC Partners ( will deliver resources and expertise that many brands do not have internally. These third parties can help in the solution design process, making sure that brands not only understand potential security weakness but also how to minimize them. 1 Data Privacy: How Big a Compliance Challenge? Health Care Compliance Association & the Society of Corporate Compliance and Ethics, January Marketing and Data Security

5 4. Consider an On-Premise Marketing Solution. Some industries, such as financial services and healthcare, are leading the trend towards insourcing, driven in part by stringent regulations on how and where customer data is stored. Protecting that data has driven these companies to require that marketing solutions be brought on premise to ensure the same security due diligence as other internal business applications that run behind their firewall. Companies that choose to outsource their marketing run risks by relinquishing control of their customer data to their vendor s internal data security policies, which may not be as rigorous as their own. In fact, a recent survey from the Ponemon Institute 2 found that 54% of marketers would consider insourcing to protect customer information. This is a great option for companies that have a concern with data security, like financial services firms who just can t let customer data outside of their own data centers. An installed solution gives a marketer more control of delivery and data. Shar Van Boskirk Vice President, Principal Analyst Interactive Marketing Group Forrester Research Controlling all aspects of sending and processing in-house allows you to avoid the legal pitfalls of sharing personal information with a third-party service provider. By implementing an on-premise solution, sensitive customer data (including names, addresses, financial profiles and other data) can remain in your secure internal databases, which helps mitigate legal exposure and facilitates regulatory compliance. This is because the on-premise system connects directly to your database and resides behind your firewall, where it is subject to the same security policies that govern the rest of your data and business systems. Sharing customer data with an ESP may require you to modify your online privacy policies and, in some cases, await your customers approval before sharing this information. The transmission of sensitive data also represents a potential security risk and poses challenges if the data needs to be readily accessible for compliance or legal review. Managing your marketing on-premise eliminates these obstacles, but not all companies believe they have the resources or expertise to bring it in-house. StrongMail addresses these concerns with its suite of commercially supported, onpremise solutions for marketing and transactional . As the only top-tier service provider that offers an on-premise option, StrongMail s unique approach provides some of the world s biggest brands with superior control, security and integration capabilities. On-premise marketing no longer requires significant technical resources to manage the system, and StrongMail s award-winning agency can provide brands with full strategic, creative, production and deliverability services as needed. The simple fact is that all systems are susceptible to malicious attacks. As advanced marketers, it is more important than ever to minimize the chances the attackers have when targeting your systems. In the wake of recent security breaches targeting service providers, take a look at your technology and the data it connects to and ask yourself to what degree system security was audited by your internal teams or third parties. If the answer is unclear, prioritize a security review today U.S. Study on Marketing Practices and Privacy, Ponemon Institute, June Marketing and Data Security

6 ABOUT STRONGMAIL SYSTEMS, INC. StrongMail enables marketers to forge meaningful, profitable and long-lasting connections with their customers through marketing and social media. Offering a comprehensive suite of technology and services, StrongMail takes a fundamentally different approach to traditional service providers that offers many unique advantages to brands. StrongMail's dedicated online marketing solutions offer the lowest total cost of ownership of any enterprise marketing solution and easily integrate with customer data sources to help marketers improve the performance of their marketing campaigns. StrongMail s and social CRM agency provides industry-leading strategic and creative services to help marketers listen, learn, engage and influence best customers. It's these differences that have led Fortune 2000 brands to switch to StrongMail. StrongMail Systems, Inc Island Drive, Suite 200 Redwood City, CA P F Marketing and Data Security