my turn


Securing Customer Email Addresses

Email marketing is an effective and popular marketing method. An entire industry has been built around it, with companies like ExactTarget, Elite Mail, Constant Contact and Epsilon making millions in revenue by providing email marketing campaigns to their clients.

Unfortunately, as the value of personally identifiable information (PII) like email addresses and profiles used for marketing purposes continues to rise, cybercriminals are also increasing their focus on obtaining this data. With access to email addresses or other PII, hackers can execute effective scams like phishing to steal more valuable information such as credit card and bank account numbers. Headlines about third-party email marketing companies experiencing breaches are all too frequent. These include the Arc Worldwide breach in December that exposed email addresses of McDonald's and Walgreens customers, and the recent Epsilon breach that gave hackers access to 50* corporate customers, including Best Buy, Citibank, Disney, JPMorgan Chase, and Hilton.



Breaches like these serve as evidence that companies and their so called "trusted" partners are not following best practices or using the most advanced technologies available to secure sensitive customer information. While security issues like data protection used to be the concern of the chief security officer or IT department, marketers need to smarten up on how they can protect their customers' information, or risk being the next embarrassing and detrimental headline in the news.

So what role should marketers play in assuring that their customers' PII data never fall into the hands of cybercriminals? At a minimum, they need to be more aware of the situation so they can ask the right questions of their corporate security offices (CSOs) and/or third party marketing vendors that handle sensitive customer information.

With this in mind, marketers should be empowered to ask their security teams and vendors the following questions:

1. Is our PII information being protected the same way as our financial information? Since there are fewer regulations and available guidelines on protecting PII data, companies need to look at more established regulations and apply their guidelines. For example, by protecting PII as you would financial information, you will ensure that you have the best security measures in place to mitigate the next breach. Organizations can refer to publically available guidelines, such as PCI DSS 2.0 and others, to establish an internal PII data security policy that is run by the CSO.

2. Is our vendor being audited regularly? It's critical that any vendors with access to your customer marketing data comply with your company's standards for data security. To do this, you must know how frequently that firm is being audited and what data security solutions they are using.

3. Is our PII data being protected with modern solutions? While Epsilon did not disclose what type of data security solution it was using when its servers were breached, the company reportedly was not using encryption. Organizations need to actively monitor emerging data security solutions because older technologies like access control, masking and hashing are no longer sufficient. At a minimum, PII should be protected by modern encryption; however tokenization provides the strongest and most cost effective data security.

4. Are church and state separated? Make sure your company is creating a separation of duties between the CSO and the database administrator, which will ensure that no single individual or group controls access to information in the database without oversight of the CSO. This separation of duties should also be established between the CSO and anyone who administers IT systems that data flows through.

By following the above best practices, using the most advanced data security technologies and holding your outside partners to the highest data security auditing standards, you can rest assured that you will never experience a breach and resulting brand damage like Epsilon and its customers.

*Editor's note: The article was amended after it was posted.
3 comments about "Securing Customer Email Addresses ".
Check to receive email when comments are posted.
  1. Sandy Pochapin from Renewal by Andersen, April 22, 2011 at 9:20 a.m.

    Ulf makes some very good points. For even more good advice on how to protect your data and assuage your customer's nerves; "Always Use Protection: Tips for Reducing the Risk of Data Theft" by Austin Bliss will help you ensure that your business does not become the "weak link."

  2. Matthew Kirsch from American Museum of Natural History, April 22, 2011 at 2:27 p.m.

    Great and timely article Ulf. Outside of the data realm there are a number of critical safeguards that can be put in place to help guard against unauthorized access to your customers' data at your ESP. Now is a critical time for all ESP's to pivot from providing easy and pretty much open access for clients to taking a much more secure stance, that is focused on protecting data. Clients have clamored for the kind of access and limited safeguards that exist today, but ESP's need to understand that the trade-off on security is now completely unacceptable. Many of us now recognize that a little more hassle in logging in or accessing lists is more than worth the trouble, compared with dealing with large-scale breaches, that inconvenience and potentially hurt our customers and damage our brands.

  3. Ulf Mattsson from Protegrity, April 22, 2011 at 5:02 p.m.

    Someone from Epsilon’s PR department reached out to me about this article. They pointed out that about 50 of their customers’ data was compromised, not their entire client roster of 2,500. One sentence in particular may have been misleading, and I wanted to clarify that approximately 50 of Epsilon’s corporate customers were affected.

    Ulf Mattsson
    Chief Technology Officer
    203 428 4521 (office)
    203 326 7200 (main)
    203 570 6919 (mobile)
    5 High Ridge Park
    Stamford, CT 06905
    Visit Us At:

Next story loading loading..