Email marketing is an effective and popular marketing method. An entire industry has been built around it, with companies like ExactTarget, Elite Mail, Constant Contact and Epsilon making millions in
revenue by providing email marketing campaigns to their clients.
Unfortunately, as the value of personally identifiable information (PII) like email addresses and profiles used for marketing
purposes continues to rise, cybercriminals are also increasing their focus on obtaining this data. With access to email addresses or other PII, hackers can execute effective scams like phishing to steal more valuable information such as credit card and bank account numbers. Headlines about third-party email marketing companies
experiencing breaches are all too frequent. These include the Arc Worldwide breach in December that exposed email addresses of
McDonald's and Walgreens customers, and the recent Epsilon breach that gave hackers access to 50*
corporate customers, including Best Buy, Citibank, Disney, JPMorgan Chase, and Hilton.
advertisement
advertisement
Breaches like these serve as evidence that companies and their so called "trusted" partners are not
following best practices or using the most advanced technologies available to secure sensitive customer information. While security issues like data protection used to be the concern of the chief
security officer or IT department, marketers need to smarten up on how they can protect their customers' information, or risk being the next embarrassing and detrimental headline in the news.
So what role should marketers play in assuring that their customers' PII data never fall into the hands of cybercriminals? At a minimum, they need to be more aware of the situation so they can ask the
right questions of their corporate security offices (CSOs) and/or third party marketing vendors that handle sensitive customer information.
With this in mind, marketers should be empowered to
ask their security teams and vendors the following questions:
1. Is our PII information being protected the same way as our financial information? Since there are
fewer regulations and available guidelines on protecting PII data, companies need to look at more established regulations and apply their guidelines. For example, by protecting PII as you would
financial information, you will ensure that you have the best security measures in place to mitigate the next breach. Organizations can refer to publically available guidelines, such as PCI DSS 2.0
and others, to establish an internal PII data security policy that is run by the CSO.
2. Is our vendor being audited regularly? It's critical that any vendors with access
to your customer marketing data comply with your company's standards for data security. To do this, you must know how frequently that firm is being audited and what data security solutions they are
using.
3. Is our PII data being protected with modern solutions? While Epsilon did not disclose what type of data security solution it was using when its servers were
breached, the company reportedly was not using encryption. Organizations need to actively monitor emerging data security solutions because older technologies like access control, masking and hashing
are no longer sufficient. At a minimum, PII should be protected by modern encryption; however tokenization provides the strongest and most cost effective data security.
4. Are
church and state separated? Make sure your company is creating a separation of duties between the CSO and the database administrator, which will ensure that no single individual or group
controls access to information in the database without oversight of the CSO. This separation of duties should also be established between the CSO and anyone who administers IT systems that data flows
through.
By following the above best practices, using the most advanced data security technologies and holding your outside partners to the highest data security auditing
standards, you can rest assured that you will never experience a breach and resulting brand damage like Epsilon and its customers.
*Editor's note: The article was amended after it was
posted.