Securing Customer Email Addresses
Unfortunately, as the value of personally identifiable information (PII) like email addresses and profiles used for marketing purposes continues to rise, cybercriminals are also increasing their focus on obtaining this data. With access to email addresses or other PII, hackers can execute effective scams like phishing to steal more valuable information such as credit card and bank account numbers. Headlines about third-party email marketing companies experiencing breaches are all too frequent. These include the Arc Worldwide breach in December that exposed email addresses of McDonald's and Walgreens customers, and the recent Epsilon breach that gave hackers access to 50* corporate customers, including Best Buy, Citibank, Disney, JPMorgan Chase, and Hilton.
Breaches like these serve as evidence that companies and their so called "trusted" partners are not following best practices or using the most advanced technologies available to secure sensitive customer information. While security issues like data protection used to be the concern of the chief security officer or IT department, marketers need to smarten up on how they can protect their customers' information, or risk being the next embarrassing and detrimental headline in the news.
So what role should marketers play in assuring that their customers' PII data never fall into the hands of cybercriminals? At a minimum, they need to be more aware of the situation so they can ask the right questions of their corporate security offices (CSOs) and/or third party marketing vendors that handle sensitive customer information.
With this in mind, marketers should be empowered to ask their security teams and vendors the following questions:
1. Is our PII information being protected the same way as our financial information? Since there are fewer regulations and available guidelines on protecting PII data, companies need to look at more established regulations and apply their guidelines. For example, by protecting PII as you would financial information, you will ensure that you have the best security measures in place to mitigate the next breach. Organizations can refer to publically available guidelines, such as PCI DSS 2.0 and others, to establish an internal PII data security policy that is run by the CSO.
2. Is our vendor being audited regularly? It's critical that any vendors with access to your customer marketing data comply with your company's standards for data security. To do this, you must know how frequently that firm is being audited and what data security solutions they are using.
3. Is our PII data being protected with modern solutions? While Epsilon did not disclose what type of data security solution it was using when its servers were breached, the company reportedly was not using encryption. Organizations need to actively monitor emerging data security solutions because older technologies like access control, masking and hashing are no longer sufficient. At a minimum, PII should be protected by modern encryption; however tokenization provides the strongest and most cost effective data security.
4. Are church and state separated? Make sure your company is creating a separation of duties between the CSO and the database administrator, which will ensure that no single individual or group controls access to information in the database without oversight of the CSO. This separation of duties should also be established between the CSO and anyone who administers IT systems that data flows through.
By following the above best practices, using the most advanced data security technologies and holding your outside partners to the highest data security auditing standards, you can rest assured that you will never experience a breach and resulting brand damage like Epsilon and its customers.*Editor's note: The article was amended after it was posted.